ISP modem.
Is it running as bridge? Do you get a public IP on your Pi or is it a NAT?
Comment on Uncomplicated firewall rule set for a *arr stack.
Fedegenerate@lemmynsfw.com 4 months agoISP modem. I have a pi3 running pihole-dhcp-unbound, ufw and log2ram.
My system is a pi4 running *arrs, qBit, fail2ban, portainer in docker and ufw for now. Use case is: via mobile phone access *arrs, let them do their things and manually play files via hdmi or more files via thumbdrive. I was thinking giving up the phone access to put them on their own network, but subnets are beyond my ken for now.
Hoping to increment my security, and then the system as my skills develop.
TCB13@lemmy.world 4 months ago
Fedegenerate@lemmynsfw.com 4 months ago
I don’t know, what’s more I don’t know how to check.Which ever most likely?
ISP plastic box didn’t allow custom DNS, I disabled DHCP and IPv6. On pihole I enabled DHCP with IPv6 disabled.
I know, I know enough to be dangerous now, and I’m trying to get the system through my dangerous phase. I don’t think I know enough to ask intelligent questions yet…
farcaller@fstab.sh 4 months ago
I disabled DHCP and IPv6
Why, though?
Fedegenerate@lemmynsfw.com 4 months ago
When it was active I was getting ads. I disabled the pi-hole registered an increase in traffic and there were no more ads. I don’t know why. It’s working as it is and I’ll tinker when I know more.
atzanteol@sh.itjust.works 4 months ago
I know, I know enough to be dangerous now, and I’m trying to get the system through my dangerous phase. I don’t think I know enough to ask intelligent questions yet…
That’s fine - we all start somewhere.
I went looking to see if there were any “intro to networking for homegamers” sites but didn’t come up with much… Maybe I’ll put something together some day as this is a frequently misunderstood topic.
You “typically” have something like this: Internet -> Your “ISP plastic box” (which acts as a router, firewall and gateway (actual terms)) -> Things on your network.
In this scenario you have two separate networks - the Internet (things on the left of the firewall) and your internal network (things on the right).
Your internal things get to the internet by asking the gateway to fetch them for it. This is called “Network Address Translation” (NAT). Your internal network uses “non-globaly-routable IP addresses”. They look like “192.168.0.0”, “10.0.0.0”, and 172.16.0.0. These are sometimes called RFC1918 addresses.
The router has a “public” facing internet connection which gets an IP from your ISP. And it has a “private” facing connection that gets a private IP address (something like 192.168.0.1 is common). If you run
ip routeyou’ll see something like this:$ ip route default via 192.168.0.1 dev wlp0s20f3 proto dhcp metric 600
This tells your computer to send all traffic that is not on the local private network to the gateway (at 192.168.0.1) to fetch for you.
Things on the internet side of your router can’t access things on the private network directly by default. So if you haven’t gone out of your way to make that happen then I have good news - you’re probably fine. What you’re installing with UFW is a “host-based firewall”. It only blocks and restricts access to ports running on that server. But the router also has a firewall which blocks everything from your network.
If you do want to access services in your private network from the internet side then you do something called “port forwarding”. This means that when systems on the internet connect to your router on, for example, port 80 the router will “forward” the request to an internal system on that port (or a different one depending on how you configure it). But only that port gets forwarded. The router then acts as a go-between to make the communication happen.
Once you start exposing services to the internet you open up a larger can of risk that you’ll want to understand.
In short - if you’re not doing anything fancy then you probably don’t really need host-based firewalling on systems in your private network. It wouldn’t hurt - and I do it as well - but it’s not a big deal if you don’t.
Fedegenerate@lemmynsfw.com 4 months ago
You have cleared up a lot of misconceptions for me, I have not been port forwarding, I have not learned how yet. I think I’m good. I don’t mind breaking functional stuff, and have a lot already, but I really don’t want to explain to my fiancée that the reason someone is in her bank is because I wanted to watch Samurai Jack.
I have been keeping it as insular as possible for this reason, and the next thing I intent to learn is to make it more insular by putting the pi on a subnet of its own. Actually, thank you for writing that up. I have been actively resisting using people for IT support, as I know it takes time. I have been trying to find everything I can, there isn’t much or what there is assumes knowledge I don’t have.
TCB13@lemmy.world 4 months ago
So you’ve set a static IP in your Pi? Something like 192.168.1.x? Second question, whenever you want to expose some service to the internet you’ve to go into your ISP and setup a port forward am I right?
Fedegenerate@lemmynsfw.com 4 months ago
Both pi’s have static IPs.
I asked the *arrs to talk to each other, and when they didn’t work (and only when they didnt work) I "ufw allow"ed the relevant port.
I just want to patch up my firewall layer as best I can, and then start building security layers on top/bellow it as I learn how.
rambos@lemm.ee 4 months ago
Im bit confused tbh. Have you even forwarded any ports on your ISP router?
You are safe if you havent. You can use all arrs at home safely and stick with gluetun to hide your trafic from ISP. Its good to have firewall, but only people on your home network can access your server. You have opened only ports that you need in UFW and thats perfect.
In case you want to access your services when not at home, you have to deal with security and feels like most comments are about this. If this is what you are looking for then I would suggest setting up wireguard VPN or look into tailscale (or alternatives). Both options are safe enough IMO, much safer than exposing ports 80 and 443
Fedegenerate@lemmynsfw.com 4 months ago
That’s a relief. Thank you.