Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
I don't know, what's more I don't know how to check.Which ever most likely?
ISP plastic box didn't allow custom DNS, I disabled DHCP and IPv6. On pihole I enabled DHCP with IPv6 disabled.
I know, I know enough to be dangerous now, and I'm trying to get the system through my dangerous phase. I don't think I know enough to ask intelligent questions yet...
So you've set a static IP in your Pi? Something like 192.168.1.x? Second question, whenever you want to expose some service to the internet you've to go into your ISP and setup a port forward am I right?
Both pi's have static IPs.
I asked the *arrs to talk to each other, and when they didn't work (and only when they didnt work) I "ufw allow"ed the relevant port.
I just want to patch up my firewall layer as best I can, and then start building security layers on top/below it as I learn how.
So I told Sonarr that qBit it at 192.168...:port. The test failed, "ufw allow port", then the test passed. Could I instead have told Sonarr qBit is at 172.18...:port(dockers network address) and then close up the firewall. Or can I set them all to "ufw limit". Or set the firewall to only allow local local traffic... You get the idea, I know enough to be dangerous but not enough to ask the right questions.
Basically, what they are getting at is:
Have you allowed internet access TO arr?
A default config ISP router will take the public IP address and drop all incomming connections. It will then NAT internal IP addresses to the public IP addresses.
So when you go to Google, Google responds to the established connection coming from the routers public IP address. Your router then knows to forward that response to the local client that started the connection.
If Google just randomly decided to connect to your public IP address, your router is configured to drop that traffic.
If you set up port forwarding on your router, you are telling it "if you get a new connection on port 443, forward it to this local client". This is exposing that client to the internet and allowing strangers to connect to it. If Google then tried to connect to your public ip:443, it would get the response from that local client.
If you set up a "dmz" client, the router will forward ALL unknown incoming connections to that client. There is no need to do this. The only exception is for research or as a hunnypot/tarpit.
All other traffic will be on the local network, and wont even touch the routers firewall. A connection from 192.168.0.12 to 192.168.0.200 will go through layer 2 (ie, switches) instead of layer 3 (ie, routing) of the network OSI layers.
So, if you trust your internal home network and you have not exposed anything to the internet (port forwarding on the router, or set up a DMZ client) then you dont really need internal firewalls: the chance of a malicious device being able to even connect to an arr service is vanishingly small - like, your arr service will be the least of your concerns.
When you expose arr to the internet (i wouldnt do it directly, use a VPN or similar as a secure hole through your home firewall) THEN you need to address internal firewalls.
If you feel you do need them, then go about it for learning purposes and take your time. Do things, break things, learn things, fix things.
In an ideal scenario, security would be in many layers, connections would all be TLS with client certificate trust, etc etc.
But for a server on your home network serving only local clients.... Why bother worrying about it until you want to learn it properly!
I was starting to get annoyed by so much "*arrs" and dancing around the subject that I lost the motivation to type. Thank you for taking the time to type an answer similar to mine. :).
@[email protected] go read this.