I set up an *arr stack and made it work, and now I’m trying to make it safe - the objectivly correct order.

I installed uncomplicated firewall on the system to pretend to protect myself, and opened ports as and when I needed them.

So I’m in mind to fix my firewall rules and my question is this: Given there’s a more sensible ufw rule set what is it, I have looked online I couldn’t find any answers? Either “limit 8080”, “limit 9696”, “limit …” etc. or “open”. Or " allow 192.168.0.0/16" would I have to allow my docker’s subnet as well?

To head off any “why didn’t you <brilliant idea>?” it’s because I’m dumb. Cheers in advance.

  • Fedegenerate@lemmynsfw.comOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    9 months ago

    Ah, I knew it was bypassing the pi-hole, I thought it was IPv6. I think I made the mistake of changing more than one thing at once, what I did worked and I moved on to the next functionality I was chasing. I’ll try enabling IPv6 on the pihole, I know at least if I get Ads with it on its not IPv6.

    • TCB13@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      9 months ago

      I’ll try enabling IPv6 on the pihole, I know at least if I get Ads with it on its not IPv6.

      It’s both the IPv4 and IPv6 DHCP… You IPS router has to run DHCP (or similar) for both IP versions.

      Both of them will provide your machines with ISP DNS servers / gateway and the machines will bypass your pi-hole. Since most operating systems will prefer to use IPv6 over IPv4 if you enable IPv6 you’ll most likely get ANY ad from any company that runs on IPv6 (most likely everyone).

      When it comes to IPv6 it’s game over to the pi-hole if your ISP router doesn’t allow you to set custom IPv6 DNS servers (and set it to your pi-hole IPv6 address).

      Anyways, as long as you don’t go into the router ISP and tell it to “forward port X to port Y on pi-hole” you don’t even need a firewall running on pi-hole, as nothing from the public internet will be able to reach it.

      If you’re using a VPN on the Pi then you may run a firewall but restrict only to the VPN interface and set it do drop all incoming traffic on that interface unless related to some outgoing connection.