Selfhosted

60071 readers

701 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam.
Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.
Don't duplicate the full text of your blog or git here. Just post the link for folks to click.
Submission headline should match the article title.
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago

MODERATORS

curbstickle@anarchist.nexus

curbstickle_lw@lemmy.world

Uncomplicated firewall rule set for a *arr stack. (lemmynsfw.com)

submitted 2 years ago by Fedegenerate@lemmynsfw.com to c/selfhosted@lemmy.world

25 comments fedilink hide all child comments

I set up an *arr stack and made it work, and now I'm trying to make it safe - the objectivly correct order.

I installed uncomplicated firewall on the system to pretend to protect myself, and opened ports as and when I needed them.

So I'm in mind to fix my firewall rules and my question is this: Given there's a more sensible ufw rule set what is it, I have looked online I couldn't find any answers? Either "limit 8080", "limit 9696", "limit ..." etc. or "open". Or " allow 192.168.0.0/16" would I have to allow my docker's subnet as well?

To head off any "why didn't you ?" it's because I'm dumb. Cheers in advance.

you are viewing a single comment's thread
view the rest of the comments

[–] TCB13@lemmy.world 2 points 2 years ago* (last edited 2 years ago)

I’ll try enabling IPv6 on the pihole, I know at least if I get Ads with it on its not IPv6.

It's both the IPv4 and IPv6 DHCP... You IPS router has to run DHCP (or similar) for both IP versions.

Both of them will provide your machines with ISP DNS servers / gateway and the machines will bypass your pi-hole. Since most operating systems will prefer to use IPv6 over IPv4 if you enable IPv6 you'll most likely get ANY ad from any company that runs on IPv6 (most likely everyone).

When it comes to IPv6 it's game over to the pi-hole if your ISP router doesn't allow you to set custom IPv6 DNS servers (and set it to your pi-hole IPv6 address).

Anyways, as long as you don't go into the router ISP and tell it to "forward port X to port Y on pi-hole" you don't even need a firewall running on pi-hole, as nothing from the public internet will be able to reach it.

If you're using a VPN on the Pi then you may run a firewall but restrict only to the VPN interface and set it do drop all incoming traffic on that interface unless related to some outgoing connection.