this post was submitted on 24 Mar 2025
102 points (95.5% liked)

Selfhosted

46304 readers
639 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
102
Do I really need a firewall for my server? (sopuli.xyz)
submitted 1 month ago by theselfhoster@sopuli.xyz to c/selfhosted@lemmy.world
62 comments fedilink hide all child comments
 

I've been running my server without a firewall for quite some time now, I have a piped instance and snikket running on it. I've been meaning to get UFW on it but I've been too lazy to do so. Is it a necessary thing that I need to have or it's a huge security vulnerability? I can only SSH my server from only my local network and must use a VPN if I wanna SSH in outside so I'd say my server's pretty secure but not the furthest I could take it. Opinions please?

you are viewing a single comment's thread
view the rest of the comments
[–] non_burglar@lemmy.world 7 points 1 month ago (10 children)

Op means, as they said, a firewall on the server itself.

NAT is, effectively, a firewall.

No it isn't. Stop giving advice on edge security.

[–] ShellMonkey@lemmy.socdojo.com 0 points 1 month ago (4 children)

Assuming it's not a 1-1 NAT it does make for a functional unidirectional firewall. Now, a pure router in the sense of simply offering a gateway to another subnet doesn't do much, but the typical home router as most people think of it is creating a snat for multiple devices to reach out to the internet and without port forwarding effectively blocks off traffic from the outside in.

[–] non_burglar@lemmy.world 5 points 1 month ago (3 children)

Assuming it's not a 1-1 NAT it does make for a functional unidirectional firewall.

That's like saying a router and firewall are the same thing. NAT appears to be a "firewall" because it's usually deployed with one. NAT itself has no filtering functions the way you're describing.

Now, a pure router in the sense of simply offering a gateway to another subnet

A "pure" router, as you put it, understands upstream subnets and routing tables. NAT does not, and is usually overlayed on top of an existing routing function.

You can set up NAT between two subnets as an experiment with no iptables and it will do its job.

[–] ShellMonkey@lemmy.socdojo.com -1 points 1 month ago

NAT in the sense used when people talk about at home is a source nat, or as we like to call it in the office space a hide address, everyone going to the adjacent net appears to be the same source IP and the system maintains a table of connections to correlate return traffic to.

The other direction though, if you where on that upstream net and tried to target traffic towards the SNAT address above the router has no idea where to send it to unless there's a map to designate where incoming connections need to be sent on the other side of the NAT so it ends up being dropped. I suppose in theory it could try and send it to everyone in the local side net, but if you get multiple responses everything is going to get hosed up.

So from the perspective of session state initiation it can act as a firewall since without route maps it only will work from one side.

load more comments (2 replies)
load more comments (2 replies)
load more comments (7 replies)