this post was submitted on 10 Feb 2024
16 points (86.4% liked)

Selfhosted

40296 readers
185 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I set up an *arr stack and made it work, and now I'm trying to make it safe - the objectivly correct order.

I installed uncomplicated firewall on the system to pretend to protect myself, and opened ports as and when I needed them.

So I'm in mind to fix my firewall rules and my question is this: Given there's a more sensible ufw rule set what is it, I have looked online I couldn't find any answers? Either "limit 8080", "limit 9696", "limit ..." etc. or "open". Or " allow 192.168.0.0/16" would I have to allow my docker's subnet as well?

To head off any "why didn't you ?" it's because I'm dumb. Cheers in advance.

you are viewing a single comment's thread
view the rest of the comments
[–] TCB13@lemmy.world 2 points 9 months ago* (last edited 9 months ago) (1 children)

Did you care to understand why at least? @farcaller@fstab.sh @Fedegenerate@lemmynsfw.com the reason you were getting more ads was simple. If the ISP router was running DHCP and IPv6 then te the devices connected to the network got their IP addresses from the ISP router and it would also provide ISP DNS servers (or router IP) completely bypassing your pi-hole.

[–] Fedegenerate@lemmynsfw.com 1 points 9 months ago (1 children)

Ah, I knew it was bypassing the pi-hole, I thought it was IPv6. I think I made the mistake of changing more than one thing at once, what I did worked and I moved on to the next functionality I was chasing. I'll try enabling IPv6 on the pihole, I know at least if I get Ads with it on its not IPv6.

[–] TCB13@lemmy.world 2 points 9 months ago* (last edited 9 months ago)

I’ll try enabling IPv6 on the pihole, I know at least if I get Ads with it on its not IPv6.

It's both the IPv4 and IPv6 DHCP... You IPS router has to run DHCP (or similar) for both IP versions.

Both of them will provide your machines with ISP DNS servers / gateway and the machines will bypass your pi-hole. Since most operating systems will prefer to use IPv6 over IPv4 if you enable IPv6 you'll most likely get ANY ad from any company that runs on IPv6 (most likely everyone).

When it comes to IPv6 it's game over to the pi-hole if your ISP router doesn't allow you to set custom IPv6 DNS servers (and set it to your pi-hole IPv6 address).

Anyways, as long as you don't go into the router ISP and tell it to "forward port X to port Y on pi-hole" you don't even need a firewall running on pi-hole, as nothing from the public internet will be able to reach it.

If you're using a VPN on the Pi then you may run a firewall but restrict only to the VPN interface and set it do drop all incoming traffic on that interface unless related to some outgoing connection.