Inspired by this comment to try to learn what I’m missing.

  • Cloudflare proxy
  • Reverse Proxy
  • Fail2ban
  • Docker containers on their own networks

Another concern I have is does it need to be on a separate machine on a vlan from the rest of the network or is that too much?

  • @gamer@lemm.eeEnglish
    516 days ago

    My new strategy is to block EVERY port except WireGuard. This doesn’t work for things you want to host publicly ofc, like a website, but for most self host stuff I don’t see anything better than that.

    • irmadladEnglish
      215 days ago

      My new strategy is to block EVERY port

      Wow! All 65535 +/-, in and out? That’s one way to skin a cat.

      • @gamer@lemm.eeEnglish
        315 days ago

        ez pz:

        #!/usr/sbin/nft -f
table inet filter {
    chain input {
        type filter hook input priority raw; policy accept;
        iif "lo" accept
        ct state established,related accept
        iif "enp1s0" udp dport 51820 accept
        iif "enp1s0" drop
    }

    chain forward {
        type filter hook forward priority raw; policy accept;
        iif "lo" accept
        ct state established,related accept
        iif "enp1s0" udp dport 51820 accept
        iif "enp1s0" drop
    }

    chain output {
        type filter hook output priority raw; policy accept;
    }
}
        • irmadladEnglish
          115 days ago

          I’ve seen it done as such:

          sudo ufw deny out 1:19/tcp sudo ufw deny out 1:19/udp sudo ufw deny out 22:52/tcp sudo ufw deny out 22:52/udp sudo ufw deny out 54:79/tcp sudo ufw deny out 54:79/udp sudo ufw deny out 81:122/tcp sudo ufw deny out 81:122/udp sudo ufw deny out 124:442/tcp sudo ufw deny out 124:442/udp sudo ufw deny out 444:65535/tcp sudo ufw deny out 444:65535/udp

          But your way seems a bit more elegant