Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
That's fine - we all start somewhere.
I went looking to see if there were any "intro to networking for homegamers" sites but didn't come up with much... Maybe I'll put something together some day as this is a frequently misunderstood topic.
You "typically" have something like this: Internet -> Your "ISP plastic box" (which acts as a router, firewall and gateway (actual terms you'll want to understand and can search on)) -> Things on your network.
In this scenario you have two separate networks - the Internet (things on the left of the firewall) and your internal network (things on the right).
Your internal things get to the internet by asking the gateway to fetch them for it. This is called "Network Address Translation" (NAT). Your internal network uses "non-globaly-routable IP addresses". They look like "192.168.0.0", "10.0.0.0", and 172.16.0.0. These are sometimes called RFC1918 addresses. These addresses can't be used on the internet. They're reserved for internal private use only. There are thousands of networks using those ranges internally so they're not unique globally.
The router has a "public" facing internet connection which gets an IP from your ISP that is globally unique. And it has a "private" facing connection that gets a private IP address (something like 192.168.0.1 is common). If you run
ip route
you'll see something like this:This tells your computer to send all traffic that is not on the local private network (or it doesn't have a route for specifically) to the gateway (at 192.168.0.1) to fetch for you.
Things on the internet side of your router can't access things on the private network directly by default. So if you haven't gone out of your way to make that happen then I have good news - you're probably fine. What you're installing with UFW is a "host-based firewall". It only blocks and restricts access to ports running on that server. But the router also has a firewall which blocks everything from your network.
If you do want to access services in your private network from the internet side then you do something called "port forwarding". This means that when systems on the internet connect to your router on, for example, port 80 the router will "forward" the request to an internal system on that port (or a different one depending on how you configure it). But only that port gets forwarded and to a specific internal host/port. The router then acts as a go-between to make the communication happen.
Once you start exposing services to the internet you open up a larger can of risk that you'll want to understand.
In short - if you're not doing anything fancy then you probably don't really need host-based firewalling on systems in your private network. It wouldn't hurt - and I do it as well - but it's not a big deal if you don't.
You have cleared up a lot of misconceptions for me, I have not been port forwarding, I have not learned how yet. I think I'm good. I don't mind breaking functional stuff, and have a lot already, but I really don't want to explain to my fiancée that the reason someone is in her bank is because I wanted to watch Samurai Jack.
I have been keeping it as insular as possible for this reason, and the next thing I intent to learn is to make it more insular by putting the pi on a subnet of its own. Actually, thank you for writing that up. I have been actively resisting using people for IT support, as I know it takes time. I have been trying to find everything I can, there isn't much or what there is assumes knowledge I don't have.
There's a comment with a list of stuff to do that I've saved. So I'll probably start knocking that out one by one.