Comment on Uncomplicated firewall rule set for a *arr stack.
dan@upvote.au 4 months ago
What’s your actual end goal? What are you trying to protect against? Do you only want certain systems on your network to be able to access your apps? There’s not really much of a point of a firewall if you’re just going to open up the ports to the whole network.
If you want it to be more secure then I’d close all the ports except for 443, stick a reverse proxy in front of it (like Nginx Caddy, Traefik, etc), and use Authentik for authentication, with two-factor authentication enabled. Get a TLS certificate using Let’s Encrypt and a DNS challenge. You have to use a real domain name for your server, but the server does not have to be publicly accessible - Let’s Encrypt works for local servers too.
The LinuxServer project has a Docker image called “SWAG” that has Nginx with a bunch of reverse proxy configs for a bunch of common apps. Might be a decent way to go.
Fedegenerate@lemmynsfw.com 4 months ago
Just trying to keep outside/malicious actors from entering my stuff while also bring able to use my stuff. More safer is more better, but I’m trying to balance that against my poor technical ability.
My priority list is free>easy>usable>safe. Using UFW seemed to fit, but you’re right, punching holes in it defeats the purpose Which is why I wanted to only allow local network and have only the necessary ports open. You have given me lots of terms to Google as a jumping off point so thank you.
AtariDump@lemmy.world 4 months ago
VPN back into your network. Only open the VPN port.
Kushan@lemmy.world 4 months ago
The guy above you gives great advice. Set up SWAG, then the only ports you’re exposing are 443.
Once you have that set up, look at adding something like authelia. This will give you 2FA on top of those apps meaning even if someone guesses the password and the URL to access them, they still won’t be able to.
dan@upvote.au 4 months ago
I used to use Authelia, but Authentik is nicer since it’s mostly configured through a web UI. It also supports SAML for services that don’t support OpenID Connect. It also has a proxy mode like Authelia, but that’s not recommended if the service has proper SSO support. There’s just a bit of an initial learning curve.
Kushan@lemmy.world 4 months ago
Yeah honestly either solution is a solid one