Custom Firewall

Submitted ⁨⁨6⁩ ⁨months⁩ ago⁩ by ⁨Zenlix@lemmy.ml⁩ to ⁨selfhosted@lemmy.world⁩

I am searching for a firewall for my self hosted services. It should be conpatible with docker, podman and native running services. I should block clients with to many fauled authentication attempts. It should also support blocklists and be as easy to configure as possible (and foss ofc). I took a short look at fail2ban, but the docs are just lacking so much information that I was looking for. CrowdSec lookes not foss enough for me. Any recommendations?

source

Comments

Sort:hotnew top

vegetaaaaaaa@lemmy.world ⁨5⁩ ⁨months⁩ ago
I use firewalld as generic firewall and fail2ban as IPS/anti-bruteforce soltion (blocks IPs using firewalld’s ipsets)

source
melfie@lemy.lol ⁨5⁩ ⁨months⁩ ago
I use k3s with Calico so I can have k8s network policies for each service I’m running.

source
Aspen10310@lemmy.ca ⁨6⁩ ⁨months⁩ ago
Maybe Pivpn ? Yes, you’ll need a small raspberry Pi, but then you can have it run wireguard to access all your home server gear. And then you have the added feature of putting Pinhole on there as well. Works for me here.

source
- N0x0n@lemmy.ml ⁨6⁩ ⁨months⁩ ago
  I still need to find a “$35 Raspberry Pi” 🤣
  
  source
anamethatisnt@sopuli.xyz ⁨6⁩ ⁨months⁩ ago
Your services would first of all need some sort of integration to report failed authentication attempts to your firewall or you wouldn’t have anything to act on to start the block. Sounds complicated.

If I were you I would ponder if it wouldn’t be easier to just setup a headscale/wireguard/openvpn server and connect to your other services through that.

My favourite home firewall right now would be opnsense

source
- Zenlix@lemmy.ml ⁨6⁩ ⁨months⁩ ago
  I fuess I can get that info from most services vy parsing their logs.
  
  When using a vpn server, only I could access the services right?
  
  I will look into opnsense.
  
  source
  - anamethatisnt@sopuli.xyz ⁨6⁩ ⁨months⁩ ago
    
    Isnt opnsense only for bsd? I am running linux.
    opnsense is bsd based yes, you can either run it on it’s own hardware in front of your server or you can run it as a virtual machine and passthrough your hosts network ports to it for WAN/LAN.
    
    source
  - anamethatisnt@sopuli.xyz ⁨6⁩ ⁨months⁩ ago
    
    When using a vpn server, only I could access the services right?
    
    You can easily setup vpn users for friends/family but a random person on the internet won’t reach your services if you block access from WAN and forces everyone to go through the vpn server.
    
    source
non_burglar@lemmy.world ⁨6⁩ ⁨months⁩ ago
Not exactly sure what you’re looking for here; neither fail2ban nor crowdsec are firewalls by their strict definitions.

Are you looking for an IDS/IPS or other security measures? If so, what are you trying to secure?

source
- Zenlix@lemmy.ml ⁨6⁩ ⁨months⁩ ago
  Inam trying to secure aelf hosted webservices against attackers. I noticed some attack attempts in my caddy logs.
  
  source
  - non_burglar@lemmy.world ⁨6⁩ ⁨months⁩ ago
    Well, it wouldn’t hurt anything to install fail2ban and enable the popular templates, but it sounds like you might need to explain your service layout and how it’s exposed to the web before anyone can suggest a security measure.
    
    Generally in the self-hosted space there are two common approaches: set up a VPN into your network for your trusted devices, or set up a reverse-proxy with a trusted tunneling proxy like cloudflare.
    
    That you are seeing “attack attempts” in your caddy logs should be elaborated as well. What exactly are you seeing?
    
    source