this post was submitted on 17 Oct 2025
27 points (100.0% liked)
Selfhosted
60409 readers
420 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil.
-
No spam.
-
Posts are to be related to self-hosting.
-
Don't duplicate the full text of your blog or readme if you're providing a link.
-
Submission headline should match the article title.
-
No trolling.
-
Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
@SinTan1729 How many user do you have on your machine, which could open and run a service on a privileged port?
And when there is no application, which is providing a service on a privileged port, then there is no security issue from my point of view.
And if you want to get absolutely secure, then you can restrict the access only to specific ports based on firewall rules.
https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands#how-to-allow-all-incoming-http-and-https
Just a couple of friends use it. But I'd like to use this as a learning opportunity and do it the proper way. It seems that if I turn of masquerade in general, and use
firewalldfine-grained rules to enable it when I actually need it, I might be able to achieve what I want. I'll post an update to the original post if I can get it to work.@SinTan1729 Thank you, now I can better understand why you want to avoid to open the privileged ports for non-root users which makes sense for your scenario.
I'm in the easy situation, that I don't have to think about such a scenario, because my selfhosting system is exclusive for me.
I don't know the exact agreement with your friends, but to avoid security issues I personally would use following way:
- deny usage of all ports by firewall
- allow only necessary ports by firewall
- enable privileged ports by sysctl
So it reduces additional layers and complexity.
If one of your friends would provide a service on a specific port it has to be discussed with you.
And if this is a privileged port, it is also possible.
Or you can handle e.g. a web request with a rule in caddy.