Comment - FBXL Lotide

Comment on The first publicly open instance

Kkk2237pl@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

Yeah, but if my server is in the local network, I have potential threat that someone will access my lan through public server

Sort:hotnew top

irmadlad@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
Well, you could do network segmentation:

Put the server in a DMZ or separate VLAN if your router supports it. This isolates it from your main devices (computers, phones, IoT). I’m not sure what router you have buy many consumer routers have a “guest network” that can serve this purpose.

Utilize UFW rules. Mine are:

sudo ufw default deny incoming

sudo ufw default allow outgoing

Anywhere ALLOW IN 192.168.1.0/24

22 ALLOW IN 192.168.1.0/24

22 on tailscale0 ALLOW IN Anywhere

22 (v6) on tailscale0 ALLOW IN Anywhere (v6)

Also:

sudo ufw allow out to 1.0.0.1 port 53 # DNS only

sudo ufw allow out to 1.1.1.1 port 53

sudo ufw deny out to 192.168.1.0/24 # Block LAN access except admin

So now I have SSH capability locally and through Tailscale installed on the server and this prevents the server from initiating connections to other LAN devices. You can do alot with UFW and Fail2Ban in conjunction with Cloudflare Tunnels/Zero Trust.
original