I set up an *arr stack and made it work, and now I’m trying to make it safe - the objectivly correct order.

I installed uncomplicated firewall on the system to pretend to protect myself, and opened ports as and when I needed them.

So I’m in mind to fix my firewall rules and my question is this: Given there’s a more sensible ufw rule set what is it, I have looked online I couldn’t find any answers? Either “limit 8080”, “limit 9696”, “limit …” etc. or “open”. Or " allow 192.168.0.0/16" would I have to allow my docker’s subnet as well?

To head off any “why didn’t you <brilliant idea>?” it’s because I’m dumb. Cheers in advance.

  • @FedegenerateOP
    link
    English
    111 months ago

    Just trying to keep outside/malicious actors from entering my stuff while also bring able to use my stuff. More safer is more better, but I’m trying to balance that against my poor technical ability.

    My priority list is free>easy>usable>safe. Using UFW seemed to fit, but you’re right, punching holes in it defeats the purpose Which is why I wanted to only allow local network and have only the necessary ports open. You have given me lots of terms to Google as a jumping off point so thank you.

    • @[email protected]
      link
      fedilink
      English
      8
      edit-2
      11 months ago

      VPN back into your network. Only open the VPN port on your router. Use certificates based VPN.

    • Kushan
      link
      fedilink
      English
      311 months ago

      The guy above you gives great advice. Set up SWAG, then the only ports you’re exposing are 443.

      Once you have that set up, look at adding something like authelia. This will give you 2FA on top of those apps meaning even if someone guesses the password and the URL to access them, they still won’t be able to.

      • @[email protected]
        link
        fedilink
        English
        111 months ago

        adding something like authelia.

        I used to use Authelia, but Authentik is nicer since it’s mostly configured through a web UI. It also supports SAML for services that don’t support OpenID Connect. It also has a proxy mode like Authelia, but that’s not recommended if the service has proper SSO support. There’s just a bit of an initial learning curve.

        • Kushan
          link
          fedilink
          English
          111 months ago

          Yeah honestly either solution is a solid one