this post was submitted on 10 Feb 2024
16 points (86.4% liked)

Selfhosted

60071 readers
496 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
16
Uncomplicated firewall rule set for a *arr stack. (lemmynsfw.com)
submitted 2 years ago by Fedegenerate@lemmynsfw.com to c/selfhosted@lemmy.world
25 comments fedilink hide all child comments
 

I set up an *arr stack and made it work, and now I'm trying to make it safe - the objectivly correct order.

I installed uncomplicated firewall on the system to pretend to protect myself, and opened ports as and when I needed them.

So I'm in mind to fix my firewall rules and my question is this: Given there's a more sensible ufw rule set what is it, I have looked online I couldn't find any answers? Either "limit 8080", "limit 9696", "limit ..." etc. or "open". Or " allow 192.168.0.0/16" would I have to allow my docker's subnet as well?

To head off any "why didn't you ?" it's because I'm dumb. Cheers in advance.

you are viewing a single comment's thread
view the rest of the comments
[–] Fedegenerate@lemmynsfw.com 1 points 2 years ago (2 children)

Just trying to keep outside/malicious actors from entering my stuff while also bring able to use my stuff. More safer is more better, but I'm trying to balance that against my poor technical ability.

My priority list is free>easy>usable>safe. Using UFW seemed to fit, but you're right, punching holes in it defeats the purpose Which is why I wanted to only allow local network and have only the necessary ports open. You have given me lots of terms to Google as a jumping off point so thank you.

[–] AtariDump@lemmy.world 8 points 2 years ago* (last edited 2 years ago)

VPN back into your network. Only open the VPN port on your router. Use certificates based VPN.

[–] Kushan@lemmy.world 3 points 2 years ago (1 children)

The guy above you gives great advice. Set up SWAG, then the only ports you're exposing are 443.

Once you have that set up, look at adding something like authelia. This will give you 2FA on top of those apps meaning even if someone guesses the password and the URL to access them, they still won't be able to.

[–] dan@upvote.au 1 points 2 years ago (1 children)

adding something like authelia.

I used to use Authelia, but Authentik is nicer since it's mostly configured through a web UI. It also supports SAML for services that don't support OpenID Connect. It also has a proxy mode like Authelia, but that's not recommended if the service has proper SSO support. There's just a bit of an initial learning curve.

[–] Kushan@lemmy.world 1 points 2 years ago

Yeah honestly either solution is a solid one