Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
Disclaimer, I'm not a network professional im only learning. But you dont need ufw since your router firewall should be able to filter majority of the traffic. But in security there is a concept of layers. You want your router firewall then your device firewall to provide multiple layers incase something slips through one layer.
So to give a simple answer, it depends how secure you want your network to be. Personally I think UFW is easy so you may as well set it up. 5sec of config might stop a hacker traversing your network hoping from device to device.
.
Sounds like you could use a reverse proxy.
If someone exploits a service on the machine they can then connect outside that machine on any port. Ufw would prevent this. The router firewall would also likely prevent this unless they used an open port of the router or upnp was enabled.
This. It's unnecessary but it's another layer.
Instead of thinking with layers, you should use think of Swiss cheese. Each slice of cheese has some holes - think of weaknesses in the defense (or intentional holes as you need a way to connect to the target legitimately). Putting several slices back to back (in random order and orientation) means that the way to penetrate all layers is not a simple straight way, but that you need to work around each layer.
I've heard this analogy before but I don't really care for it myself.
It creates a mental image but isn't really analogous.
In the case of a firewall on a server behind a NAT, ports forwarded through the NAT are holes through the first several slices.
If done correctly, those may only be open from the internet, but not from the local network. While SSH may only be available from your local network - or maybe only by the fixed IP of your PC. Other services may only be reachable, when coming from the correct VLAN (assuming you did segment your home network). Maybe your server can only access the internet, but not to the home network, so that an attacker has a harder time spreading into your home network (note: that's only really meaningful, if it's not a software firewall on that same server...)