I set up an *arr stack and made it work, and now I’m trying to make it safe - the objectivly correct order.

I installed uncomplicated firewall on the system to pretend to protect myself, and opened ports as and when I needed them.

So I’m in mind to fix my firewall rules and my question is this: Given there’s a more sensible ufw rule set what is it, I have looked online I couldn’t find any answers? Either “limit 8080”, “limit 9696”, “limit …” etc. or “open”. Or " allow 192.168.0.0/16" would I have to allow my docker’s subnet as well?

To head off any “why didn’t you <brilliant idea>?” it’s because I’m dumb. Cheers in advance.

  • Fedegenerate@lemmynsfw.comOP
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    9 months ago

    ISP modem. I have a pi3 running pihole-dhcp-unbound, ufw and log2ram.

    My system is a pi4 running *arrs, qBit, fail2ban, portainer in docker and ufw for now. Use case is: via mobile phone access *arrs, let them do their things and manually play files via hdmi or move files via thumbdrive. I was thinking giving up the phone access to put them on their own network, but subnets are beyond my ken for now.

    Hoping to increment my security, and then the system as my skills develop.

    Edit, qBit and prowlarr are behind gluetun set up for mullvard. I’m in the UK so had to put the indexer behind a VPN. UFW

    • rambos@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      9 months ago

      Im bit confused tbh. Have you even forwarded any ports on your ISP router?

      You are safe if you havent. You can use all arrs at home safely and stick with gluetun to hide your trafic from ISP. Its good to have firewall, but only people on your home network can access your server. You have opened only ports that you need in UFW and thats perfect.

      In case you want to access your services when not at home, you have to deal with security and feels like most comments are about this. If this is what you are looking for then I would suggest setting up wireguard VPN or look into tailscale (or alternatives). Both options are safe enough IMO, much safer than exposing ports 80 and 443