Uncomplicated firewall rule set for a *arr stack.

Submitted ⁨⁨9⁩ ⁨months⁩ ago⁩ by ⁨Fedegenerate@lemmynsfw.com⁩ to ⁨selfhosted@lemmy.world⁩

I set up an *arr stack and made it work, and now I’m trying to make it safe - the objectivly correct order.

I installed uncomplicated firewall on the system to pretend to protect myself, and opened ports as and when I needed them.

So I’m in mind to fix my firewall rules and my question is this: Given there’s a more sensible ufw rule set what is it, I have looked online I couldn’t find any answers? Either “limit 8080”, “limit 9696”, “limit …” etc. or “open”. Or " allow 192.168.0.0/16" would I have to allow my docker’s subnet as well?

To head off any “why didn’t you <brilliant idea>?” it’s because I’m dumb. Cheers in advance.

source

Comments

Sort:hotnew top

dan@upvote.au ⁨9⁩ ⁨months⁩ ago
What’s your actual end goal? What are you trying to protect against? Do you only want certain systems on your network to be able to access your apps? There’s not really much of a point of a firewall if you’re just going to open up the ports to the whole network.

If you want it to be more secure then I’d close all the ports except for 443, stick a reverse proxy in front of it (like Nginx Caddy, Traefik, etc), and use Authentik for authentication, with two-factor authentication enabled. Get a TLS certificate using Let’s Encrypt and a DNS challenge. You have to use a real domain name for your server, but the server does not have to be publicly accessible - Let’s Encrypt works for local servers too.

The LinuxServer project has a Docker image called “SWAG” that has Nginx with a bunch of reverse proxy configs for a bunch of common apps. Might be a decent way to go.

source
- Fedegenerate@lemmynsfw.com ⁨9⁩ ⁨months⁩ ago
  Just trying to keep outside/malicious actors from entering my stuff while also bring able to use my stuff. More safer is more better, but I’m trying to balance that against my poor technical ability.
  
  My priority list is free>easy>usable>safe. Using UFW seemed to fit, but you’re right, punching holes in it defeats the purpose Which is why I wanted to only allow local network and have only the necessary ports open. You have given me lots of terms to Google as a jumping off point so thank you.
  
  source
  - AtariDump@lemmy.world ⁨9⁩ ⁨months⁩ ago
    VPN back into your network. Only open the VPN port.
    
    source
  - Kushan@lemmy.world ⁨9⁩ ⁨months⁩ ago
    The guy above you gives great advice. Set up SWAG, then the only ports you’re exposing are 443.
    
    Once you have that set up, look at adding something like authelia. This will give you 2FA on top of those apps meaning even if someone guesses the password and the URL to access them, they still won’t be able to.
    
    source
    -> View More Comments
TCB13@lemmy.world ⁨9⁩ ⁨months⁩ ago
Is your system running behind a ISP router / selfhosted at home or a VPS at some provider?

source
- Fedegenerate@lemmynsfw.com ⁨9⁩ ⁨months⁩ ago
  ISP modem. I have a pi3 running pihole-dhcp-unbound, ufw and log2ram.
  
  My system is a pi4 running *arrs, qBit, fail2ban, portainer in docker and ufw for now. Use case is: via mobile phone access *arrs, let them do their things and manually play files via hdmi or more files via thumbdrive. I was thinking giving up the phone access to put them on their own network, but subnets are beyond my ken for now.
  
  Hoping to increment my security, and then the system as my skills develop.
  
  source
  - rambos@lemm.ee ⁨9⁩ ⁨months⁩ ago
    Im bit confused tbh. Have you even forwarded any ports on your ISP router?
    
    You are safe if you havent. You can use all arrs at home safely and stick with gluetun to hide your trafic from ISP. Its good to have firewall, but only people on your home network can access your server. You have opened only ports that you need in UFW and thats perfect.
    
    In case you want to access your services when not at home, you have to deal with security and feels like most comments are about this. If this is what you are looking for then I would suggest setting up wireguard VPN or look into tailscale (or alternatives). Both options are safe enough IMO, much safer than exposing ports 80 and 443
    
    source
    -> View More Comments
  - TCB13@lemmy.world ⁨9⁩ ⁨months⁩ ago
    
    ISP modem.
    
    Is it running as bridge? Do you get a public IP on your Pi or is it a NAT?
    
    source
    -> View More Comments

Decronym@lemmy.decronym.xyz ⁨9⁩ ⁨months⁩ ago

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters	More Letters
DNS	Domain Name Service/System
HTTP	Hypertext Transfer Protocol, the Web
HTTPS	HTTP over SSL
IP	Internet Protocol
NAT	Network Address Translation
SSH	Secure Shell for remote terminal access
SSL	Secure Sockets Layer, for transparent encryption
TLS	Transport Layer Security, supersedes SSL
VPN	Virtual Private Network
VPS	Virtual Private Server (opposed to shared hosting)

[Thread #501 for this sub, first seen 10th Feb 2024, 13:55] [FAQ] [Full list] [Contact] [Source code]

source