this post was submitted on 10 Feb 2024
16 points (86.4% liked)

Selfhosted

40347 readers
330 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I set up an *arr stack and made it work, and now I'm trying to make it safe - the objectivly correct order.

I installed uncomplicated firewall on the system to pretend to protect myself, and opened ports as and when I needed them.

So I'm in mind to fix my firewall rules and my question is this: Given there's a more sensible ufw rule set what is it, I have looked online I couldn't find any answers? Either "limit 8080", "limit 9696", "limit ..." etc. or "open". Or " allow 192.168.0.0/16" would I have to allow my docker's subnet as well?

To head off any "why didn't you ?" it's because I'm dumb. Cheers in advance.

you are viewing a single comment's thread
view the rest of the comments
[–] Fedegenerate@lemmynsfw.com 1 points 9 months ago* (last edited 9 months ago) (16 children)

ISP modem. I have a pi3 running pihole-dhcp-unbound, ufw and log2ram.

My system is a pi4 running *arrs, qBit, fail2ban, portainer in docker and ufw for now. Use case is: via mobile phone access *arrs, let them do their things and manually play files via hdmi or move files via thumbdrive. I was thinking giving up the phone access to put them on their own network, but subnets are beyond my ken for now.

Hoping to increment my security, and then the system as my skills develop.

Edit, qBit and prowlarr are behind gluetun set up for mullvard. I'm in the UK so had to put the indexer behind a VPN. UFW

[–] TCB13@lemmy.world 2 points 9 months ago (13 children)

ISP modem.

Is it running as bridge? Do you get a public IP on your Pi or is it a NAT?

[–] Fedegenerate@lemmynsfw.com 1 points 9 months ago (12 children)

I don't know, what's more I don't know how to check.Which ever most likely?

ISP plastic box didn't allow custom DNS, I disabled DHCP and IPv6. On pihole I enabled DHCP with IPv6 disabled.

I know, I know enough to be dangerous now, and I'm trying to get the system through my dangerous phase. I don't think I know enough to ask intelligent questions yet...

[–] farcaller@fstab.sh 2 points 9 months ago (1 children)

I disabled DHCP and IPv6

Why, though?

[–] Fedegenerate@lemmynsfw.com 1 points 9 months ago (1 children)

When it was active I was getting ads. I disabled the pi-hole registered an increase in traffic and there were no more ads. I don't know why. It's working as it is and I'll tinker when I know more.

[–] TCB13@lemmy.world 2 points 9 months ago* (last edited 9 months ago) (1 children)

Did you care to understand why at least? @farcaller@fstab.sh @Fedegenerate@lemmynsfw.com the reason you were getting more ads was simple. If the ISP router was running DHCP and IPv6 then te the devices connected to the network got their IP addresses from the ISP router and it would also provide ISP DNS servers (or router IP) completely bypassing your pi-hole.

[–] Fedegenerate@lemmynsfw.com 1 points 9 months ago (1 children)

Ah, I knew it was bypassing the pi-hole, I thought it was IPv6. I think I made the mistake of changing more than one thing at once, what I did worked and I moved on to the next functionality I was chasing. I'll try enabling IPv6 on the pihole, I know at least if I get Ads with it on its not IPv6.

[–] TCB13@lemmy.world 2 points 9 months ago* (last edited 9 months ago)

I’ll try enabling IPv6 on the pihole, I know at least if I get Ads with it on its not IPv6.

It's both the IPv4 and IPv6 DHCP... You IPS router has to run DHCP (or similar) for both IP versions.

Both of them will provide your machines with ISP DNS servers / gateway and the machines will bypass your pi-hole. Since most operating systems will prefer to use IPv6 over IPv4 if you enable IPv6 you'll most likely get ANY ad from any company that runs on IPv6 (most likely everyone).

When it comes to IPv6 it's game over to the pi-hole if your ISP router doesn't allow you to set custom IPv6 DNS servers (and set it to your pi-hole IPv6 address).

Anyways, as long as you don't go into the router ISP and tell it to "forward port X to port Y on pi-hole" you don't even need a firewall running on pi-hole, as nothing from the public internet will be able to reach it.

If you're using a VPN on the Pi then you may run a firewall but restrict only to the VPN interface and set it do drop all incoming traffic on that interface unless related to some outgoing connection.

load more comments (10 replies)
load more comments (10 replies)
load more comments (12 replies)