Selfhosted

40183 readers

530 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

[email protected]

Uncomplicated firewall rule set for a *arr stack. (lemmynsfw.com)

submitted 9 months ago by [email protected] to c/[email protected]

25 comments fedilink hide all child comments

I set up an *arr stack and made it work, and now I'm trying to make it safe - the objectivly correct order.

I installed uncomplicated firewall on the system to pretend to protect myself, and opened ports as and when I needed them.

So I'm in mind to fix my firewall rules and my question is this: Given there's a more sensible ufw rule set what is it, I have looked online I couldn't find any answers? Either "limit 8080", "limit 9696", "limit ..." etc. or "open". Or " allow 192.168.0.0/16" would I have to allow my docker's subnet as well?

To head off any "why didn't you ?" it's because I'm dumb. Cheers in advance.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 1 points 9 months ago (12 children)

I don't know, what's more I don't know how to check.Which ever most likely?

ISP plastic box didn't allow custom DNS, I disabled DHCP and IPv6. On pihole I enabled DHCP with IPv6 disabled.

I know, I know enough to be dangerous now, and I'm trying to get the system through my dangerous phase. I don't think I know enough to ask intelligent questions yet...

[–] [email protected] 2 points 9 months ago (4 children)

So you've set a static IP in your Pi? Something like 192.168.1.x? Second question, whenever you want to expose some service to the internet you've to go into your ISP and setup a port forward am I right?

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago) (3 children)

Both pi's have static IPs.

I asked the *arrs to talk to each other, and when they didn't work (and only when they didnt work) I "ufw allow"ed the relevant port.

I just want to patch up my firewall layer as best I can, and then start building security layers on top/below it as I learn how.

So I told Sonarr that qBit it at 192.168...:port. The test failed, "ufw allow port", then the test passed. Could I instead have told Sonarr qBit is at 172.18...:port(dockers network address) and then close up the firewall. Or can I set them all to "ufw limit". Or set the firewall to only allow local local traffic... You get the idea, I know enough to be dangerous but not enough to ask the right questions.

[–] [email protected] 2 points 9 months ago

Oh, just saw this:

Could I instead have told Sonarr qBit is at 172.18...:port(dockers network address)

TL:dr;
No, the host has no idea what happens inside a docker network.
The exception is if the containers are on the same host and joined to the SAME docker network (docker compose does this automatically)

It seems like your home network is on 192.168.something. Youve omitted any details to describe what subnet it is within an entire 182.168.0.0/16 block that is dedicated to local network addresses (rfc1918) but that doesnt matter. And docker uses a different dedicated block of 172.16.0.0/12.
Regardless!

Your host has an ip of 192.168.1.4. A client on 192.168.1.5 knows exactly how to communicate to 192.168.1.4 (provided they are in the same subnet... Which is likely on a standard home DHCP served network. Im glossing over this).
Googles DNS server is 8.8.8.8. Which is outside of your home networks subnet (192.168.1.0/24 in CIDR notation). So client 192.168.1.5 has no idea how to contact 8.8.8.8. So it sends the connection to its default gateway (likely 192.168.1.1) as it is an unknown route. Your router then sends it to the internet appropriately (doing NAT as described elsewhere).

What Im saying is that clients within the 192.168.1.0/24 network know how to talk to eachother. If they dont know how to talk to an IP, they send to the gateway.

Now, docker uses its own internal network: 172.16.0.0/12. To a client on 192.168.1.5/24, an ip inside 172.16.0.0/12 is as strange as 8.8.8.8/32. It has no idea where to send it, so it goes to the default gateway. Which isnt helpful if that network is actually INSIDE the host at 192.168.1.4/24.

What am i getting at? Docker runs its own NAT.
It takes the host's ip address. When you expose a containers port, you are telling docker to bind a host port and forward it to the specific port of the specific container.
So outside of the host, the network has no idea what 172.16.0.0/12 means, but it does know what 192.168.1.4/24 means.
Inside the docker network, a container has no idea what 192.168.0.0/16 means, but does know 172.16.0.0/12 means. Equally, a docker container will send packets to its default gateway inside that 172.16.0.0/12... Which will then respond aporopriately to the 192.168.1.0/24 client.
Which means a dcoker containers host firewall is going to have no idea whats happening inside a docker network. All it knows is that docker wants to recieve information on port 443, and that the local network is 192.168.1.0/24. ... Ish, there are other configurations

load more comments (2 replies)

load more comments (9 replies)