I open port 8080 where e.g. Nginx Proxy Manager listens. This is the only port anyone can gain access to anything inside my home network, and the proxy manager will say “Hey, this traffic should be redirected to port 8096 and this traffic should go to 4533”, but no direct connections to these ports can be made from outside my own network as they are not exposed.
Draw it out. anything in the path has the potential to be exploited.
Internet -> ISP router -> TCP port 8080 to Nginx Proxy Manager -> TCP 443 to Computer running docker -> Docker Container -> Service.
So, in the above, The entire world will have access to only your IP on port 8080. Nginx proxy manager will take the packet, read it, do what it needs to and forwards it to the destination. I’d say that Nginx proxy manager and the end service are at risk to be exploited. If they get in then They’d be isolated by Docker and they’d need a docker exploit to get out. However, they’ll be in the docker container so they’ll have access to whatever that container has access to, and unless you block outbound access from the container it’s basically everything in your network.
I think what you’re getting at is, if I have Nginx listening on port 443 and is open to the world, can they access my game server on port 1234 that is local only. The answer to this is no. They will not have access to the game server. They need to first hack Nginx, from the PC/Docker container they then need to have access to your game server on port 1234, and if there’s nothing block them (by default I believe there is nothing stopping this) then they can hack your game server.
if you ping wifi.myisp.tld what is the IP address? is it private? what if you go to ip.add.re.ss it should be the same thing???
If I’m connected to a VPN or through mobile, it will give me an error. With my previous ISP, it was a simple login with username and password with a SMS 2FA. I never attempted to login from elsewhere then, so it might’ve been likewise protected.
It sounds like it’s private and only you have access. However, the ISP usually have their own way to get into these devices, or at least to push updates or config changes. So your only risk here is the ISP being hacked, then getting you from there. OR the actual device it self having a flaw in it and someone getting in that way. In either case, all the ISP customers will be at risk. You can still go in bridge mode to protect from this.
Yeah, they support bridge mode. So is this essentially enabling free flow of traffic through and completely trusting the secondary router I provide myself?
yes. Bridge mode means the ISP provider router is now only for translation (IE: from coaxial/DSL/Fibre to RJ45/cat cable). You plug the ISP device into the WAN port of your own device and now your device has the public IP address and that is what your trusting to protect you.
And if someone then disabled bridge mode in the online interface (again assuming that this would be possible), I am not exposed as long as I have my own router following the provider’s router?
yeah, as long as the ISP router is plugged into the WAN port of your router and ONLY the WAN port, then you’re safe from the ISP shenanigans.
What happens if I have a port open that nothing is listening to?
The firewall/router will forward that packet to the IP and port. If there is no device on that IP the packet will be dropped inside your network and nothing will happen. If there is a computer there and the Computer firewall is blocking access to that port, the PC Firewall will either drop it or reply saying it’s closed. This depends on how the PC firewall is configured. If the PC has the port open but there is no service, the PC should just drop the packet but it will still make it to the comptuer.
Is that a security concern? For example, the ports to my torrent clients when I am not using the torrent client.
Yes and no. Something could start listening on that port and start replying, You’ll have no idea if a service is listening on it unless your looking or it’s too late.
Ignoring the fact that something COULD start listening on it, then no, there’s no real concern but I’d never do this myself. It’s like giving out a bad phone number as your number, IT’s possible someone will be given this phone number and now you’ll have problems.
As I mentioned above, I am considering a reverse proxy, which to my understanding also limits the number of ports open to 1. How does that compare securitywise in your opionin?
that’s fine, just keep everything in the path up to date. I have port 443 open pointing to nginx, from here I forward traffic to Home Assistant, NextCloud, Headscale, etc, etc. They’re hosted in docker.
I have scripts that try to update everything every hour and I’m not really worried. I’d rather a update to a new version take down my services then trust myself to login every couple days and do it manually.