this post was submitted on 24 Mar 2025
96 points (95.3% liked)

Selfhosted

45119 readers
783 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
96
Do I really need a firewall for my server? (sopuli.xyz)
submitted 5 days ago by theselfhoster@sopuli.xyz to c/selfhosted@lemmy.world
62 comments fedilink hide all child comments
 

I've been running my server without a firewall for quite some time now, I have a piped instance and snikket running on it. I've been meaning to get UFW on it but I've been too lazy to do so. Is it a necessary thing that I need to have or it's a huge security vulnerability? I can only SSH my server from only my local network and must use a VPN if I wanna SSH in outside so I'd say my server's pretty secure but not the furthest I could take it. Opinions please?

you are viewing a single comment's thread
view the rest of the comments
[–] null_dot@lemmy.dbzer0.com 15 points 5 days ago (1 children)

This. It's unnecessary but it's another layer.

[–] elvith@feddit.org 11 points 5 days ago (1 children)

Instead of thinking with layers, you should use think of Swiss cheese. Each slice of cheese has some holes - think of weaknesses in the defense (or intentional holes as you need a way to connect to the target legitimately). Putting several slices back to back (in random order and orientation) means that the way to penetrate all layers is not a simple straight way, but that you need to work around each layer.

[–] null_dot@lemmy.dbzer0.com 0 points 5 days ago (1 children)

I've heard this analogy before but I don't really care for it myself.

It creates a mental image but isn't really analogous.

In the case of a firewall on a server behind a NAT, ports forwarded through the NAT are holes through the first several slices.

[–] elvith@feddit.org 2 points 5 days ago (1 children)

If done correctly, those may only be open from the internet, but not from the local network. While SSH may only be available from your local network - or maybe only by the fixed IP of your PC. Other services may only be reachable, when coming from the correct VLAN (assuming you did segment your home network). Maybe your server can only access the internet, but not to the home network, so that an attacker has a harder time spreading into your home network (note: that's only really meaningful, if it's not a software firewall on that same server...)

[–] null_dot@lemmy.dbzer0.com -5 points 5 days ago

Sure mate, keep trotting out the dumb swiss cheese analogy. Fine by me.