I am still very much a novice in the self-hosting space, Linux etc. having fairly recently switched from using macOS as my daily driver and not tinkering much at all....
“Setup a firewall” - on my server or on the router? Or both?
Both. Access from the internet to your devices is protected from your Router. You should only ever open ports to things you want to access outside of your house. For example, a website on TCP 443 is a good thing to allow. Database access on TCP 3306 is NOT something you want to access from the internet.
Internal to your network, you can open up the Database port on TCP 3306 if another computer in your network needs access to it. Don’t leave it open for no reason.
And since my router is provided by my ISP which has its settings exposed through their online portal (which I hate the thought of), how does that factor in?
Is it a private IP Address you use to access (IE 192.168.0.1 or is it some other thing?) If it’s a private IP address, that’s standard and is no problem. I’ve never heard of logging into something like a public website to open ports on your router.
What use is a router firewall if someone gains access to this portal and can configure at will?
If someone has access to your Internet Providers firwall/router combo device thingy, then it’s game over. they can open any ports, do anything they want to it. However, this is unlikely. Make sure to keep your Router up to date and only open ports that you know what they’re for 100% and what they do. NEVER allow access to the admin panel from the internet (WAN port). Though, if you need to use their public website (which I doubt) then it’s moot and you cant do anything.
Can I set up the router in bridge mode and incorporate my own router, and thus have complete local control of my network?
Yes, if they support it. This is what I do and that’s exactly what’s it’s for.
Couldn’t someone simply deactivate this in the online portal if they gained access there?
Sure but this would give them access to your Providers firewall, which you have your own firewall plugged into so it doesn’t matter. You will still be protected by your self provided firewall, some things will stop working (you’ll be double NATed so public services might not work) and it’ll be a clue someone changed something on your Providers firewall.
And if I open ports in the firewall for a specific application, what risks am I running outside of exploits in the applications themselves? For example, I have opened a port in the router settings for torrenting Linux ISOs (for a specific local IP) - could traffic through the same port be used to compromise the network in other ways? etc. etc.
Yeah, so if you open no ports. you block everything… The only exposure (of people trying to connect to you) is the firewall/router you have sitting there watching what goes on. Keeping this up to date is VERY important and they have pretty good history of not being hacked so I’d say you’re safe. For each port you open you add a service that people from anywhere in the world can talk to. So, if you open port TCP 443 and have Nginx or a website answering requests, you now need to make sure this is as secure as possible. ANYONE ANYWHERE can talk to it. If a exploit is found in Nginx/your website then it can be used to get access into that computer, From there, they are on your computer and can see anything that computer has access to. If you have 2 ports open. IE website + Torrenting, Now you have two things you MUST keep up to date because anyone can talk to them and exploit them to get into your computer. This is why you MUST know what is open to the internet and what it’s doing. The more things you have the more options you give hackers to get in.
Suddenly I have fifteen questions. So when trying to research the answer to these questions, I often get slapped with five concepts I either barely have grasp of or don’t know at all in one sentence that tries to explain what is going on. It’s not that it is impossible to learn this way, but it tends to quickly become overwhelming, and I run into explanations of concepts I don’t have enough prerequisites to learn properly yet. Which is why I am trying to get a coherent introduction to all the topics in a sensible, curated way to beef up my understanding of it, so that the research process becomes easier.
I would do what they said. Start small and at the first point of contact. Understand what is plugged into the internet (ISP Router) and all the settings on it. Understand what NAT means, understand how to open ports, etc. Then start small, Set up a computer and make sure you know what ports are open. If you want a website set it up so it works internally, test it, maybe port scan your server (with nmap or something) to see what’s open and understand what they’re for. Close the ports you don’t need open then you can consider opening it from the internet.
the most important thing is keeping it up to date and only open what you need access to.
A side point is, if it’s just you that needs access to it, consider a VPN (wireguard) or overlay network (tailscale) so you only need to open one port and that will give you access to everything you need in your network.
I open port 8080 where e.g. Nginx Proxy Manager listens. This is the only port anyone can gain access to anything inside my home network, and the proxy manager will say “Hey, this traffic should be redirected to port 8096 and this traffic should go to 4533”, but no direct connections to these ports can be made from outside my own network as they are not exposed.
Draw it out. anything in the path has the potential to be exploited.
Internet -> ISP router -> TCP port 8080 to Nginx Proxy Manager -> TCP 443 to Computer running docker -> Docker Container -> Service.
So, in the above, The entire world will have access to only your IP on port 8080. Nginx proxy manager will take the packet, read it, do what it needs to and forwards it to the destination. I’d say that Nginx proxy manager and the end service are at risk to be exploited. If they get in then They’d be isolated by Docker and they’d need a docker exploit to get out. However, they’ll be in the docker container so they’ll have access to whatever that container has access to, and unless you block outbound access from the container it’s basically everything in your network.
I think what you’re getting at is, if I have Nginx listening on port 443 and is open to the world, can they access my game server on port 1234 that is local only. The answer to this is no. They will not have access to the game server. They need to first hack Nginx, from the PC/Docker container they then need to have access to your game server on port 1234, and if there’s nothing block them (by default I believe there is nothing stopping this) then they can hack your game server.
if you ping wifi.myisp.tld what is the IP address? is it private? what if you go to ip.add.re.ss it should be the same thing???
If I’m connected to a VPN or through mobile, it will give me an error. With my previous ISP, it was a simple login with username and password with a SMS 2FA. I never attempted to login from elsewhere then, so it might’ve been likewise protected.
It sounds like it’s private and only you have access. However, the ISP usually have their own way to get into these devices, or at least to push updates or config changes. So your only risk here is the ISP being hacked, then getting you from there. OR the actual device it self having a flaw in it and someone getting in that way. In either case, all the ISP customers will be at risk. You can still go in bridge mode to protect from this.
Yeah, they support bridge mode. So is this essentially enabling free flow of traffic through and completely trusting the secondary router I provide myself?
yes. Bridge mode means the ISP provider router is now only for translation (IE: from coaxial/DSL/Fibre to RJ45/cat cable). You plug the ISP device into the WAN port of your own device and now your device has the public IP address and that is what your trusting to protect you.
And if someone then disabled bridge mode in the online interface (again assuming that this would be possible), I am not exposed as long as I have my own router following the provider’s router?
yeah, as long as the ISP router is plugged into the WAN port of your router and ONLY the WAN port, then you’re safe from the ISP shenanigans.
What happens if I have a port open that nothing is listening to?
The firewall/router will forward that packet to the IP and port. If there is no device on that IP the packet will be dropped inside your network and nothing will happen. If there is a computer there and the Computer firewall is blocking access to that port, the PC Firewall will either drop it or reply saying it’s closed. This depends on how the PC firewall is configured. If the PC has the port open but there is no service, the PC should just drop the packet but it will still make it to the comptuer.
Is that a security concern? For example, the ports to my torrent clients when I am not using the torrent client.
Yes and no. Something could start listening on that port and start replying, You’ll have no idea if a service is listening on it unless your looking or it’s too late.
Ignoring the fact that something COULD start listening on it, then no, there’s no real concern but I’d never do this myself. It’s like giving out a bad phone number as your number, IT’s possible someone will be given this phone number and now you’ll have problems.
As I mentioned above, I am considering a reverse proxy, which to my understanding also limits the number of ports open to 1. How does that compare securitywise in your opionin?
that’s fine, just keep everything in the path up to date. I have port 443 open pointing to nginx, from here I forward traffic to Home Assistant, NextCloud, Headscale, etc, etc. They’re hosted in docker.
I have scripts that try to update everything every hour and I’m not really worried. I’d rather a update to a new version take down my services then trust myself to login every couple days and do it manually.
Thinking about the torrent thing, there’s no better way to do it. I’d personally open a static port IE 12345 and point that at the torrent client on the PC. I would not randomize it and open a massive range on your firewall just in case. Then just close the client when you’re done and know that packets for 12345 will still reach your PC, they’re just dropped there.
Not that I support it, but if you’re downloading more then just Linux ISOs and you’re in a country with pretty strict laws around this sort of thing, you should be using a VPN that supports opening ports. then you do not need anything open on your firewall, just to connect to the VPN when you’re ready to sail the high seas.
UPNP should be disabled on your firewall (unless you play xbox or whatever). This allows a device, like an xbox or PC, to request your firewall open a port. This is needed for some online games to work properly but is not very good for security.
I don’t like this. That’s super weird and I would not trust it. I’m sure it’s “fine” but I’d hard pass on that. Set up my own 100% for sure.
There’s a modem connected to the WAN port, and the router/hotspot is connected to the modem. But I guess that doesn’t change anything?
I don’t understand. Can I get a pic (MS Paint or real or something) or some brand names or something? I understand if you don’t want to show, I’m just not sure what you’re saying.
My ISP gave me a white box, I plug a fibre cable from the street Plus power from the outlet into this box. Then I have a cat6 cable from this box (port 1 as per their instructions) into the WAN port of my firewall. My Firewall has a Public IP on it’s WAN interface and I have 4 ports for LAN. The same firewall gives off wifi to the rest of my house.
I will definitely need to setup this myself then. Do you run this as cron jobs?
Yeah, here’s one of them for a VPS I rent: 30 * * * * root dnf clean all ; dnf -y update && needs-restarting -r || /usr/sbin/reboot
I actually run things in Kubernetes and use github.com/keel-hq/keel to keep my pods (containers) up to date.
I do use a VPN (with port forwarding supported, but I have not activated it, which I know could affect performance, but I have not noticed anything here). Is the port opening on my router unnecessary in this case?
The port opening on the router is unnecessary and could be a bad thing. If you’re using a VPN with port forwarding I’d close the one on your router right now. The “open” port is open via the VPN connection so they do all the opening for you, you just need to make sure your PC is on the VPN.
Go to this site with out your VPN on, it will tell you if you’re using your raw internet to download torrents: iknowwhatyoudownload.com/en/peer/
it sounds like you might be doing that, or at least have the ability for people to connect to you via your ISP (bad) and not over the VPN (good)
I have two small boxes in a cabinet - one is receiving a white cable that comes from outside my home, and outputs an optical signal that goes into the other box. This other box also gets a coax cable from outside my home, and outputs an ethernet connection that is connected to what my ISP calls a WiFi router. This has additional LAN ports as well.
humm, I’ve never seen or heard of this. I’ve only ever been provided one box by my ISP. I have two guesses… Either you can replace your WiFi router with your own and everything will be okay or you’ll have to add a 3rd that is your own and Plug it into the WiFi router and ask them to put it in bridge mode. My guess is they can help you a lot better then me guessing.
torrent client is bound to the interface created by the VPN client.
perfect. Then you can close the open port on your router for sure. My Torrent client (rutorrent) shows what IP and port I’m using at the bottom, these are my VPN IP and the port I opened with the VPN provider.
My fibre box does TV, phone, and internet all in one. I guess you have one for each? I’m interested to find out if you’ll share.
I think asking them what each of them do and understand it is a good first step. Maybe you can get that down to 2 boxes. Good luck!
Nice! Glad its still working! Definitely triple check with something like canyouseeme.org when you open ports. I’m a Linux Sys Admin and happy to do my best to help of you have any more questions. At least I’ll try and get you on the right track.
I 100% agree with you on the rest. Canada isn’t doing anything and at this point I’m ready to give up. I’m not sure where to draw the line anymore and self hosting is a bit of a pain for me these days. Personal life is a bit rough and it’s just so easy to make a gmail account and have them host it.
I’ll try to remember to DM you when/if I get any answers
Thanks! No worries if not, It’s just a different setup then I’m use to. Safe travels! I think I got sick over the weekend too. hah.
I also have 500 MBit/s symmetrical internet. They tried to upsell me on 1.5GBit/s but my Firewall only supports “up to 700 MBit/s throughput” even though it has gigabit NICs so watch out for that also :) shop.netgate.com/products/1100-pfsense is the one I use. I’d love to upgrade but money has been tight for awhile.
but of course, don’t ever feel obligated to answer.
No problem! I’ll answer when I can, even if it’s a “I don’t know”
I am trying to work myself towards as complete control over my data as possible,
I started doing this in college. Deleted Facebook, started buying cheap Tiny Lenovo PCs to run everything on. It’s almost a chore now but I still enjoy it. I think the issue is I also do it all day at work so it kind of feels like more work after work, you know? I’m paying a company to host my email because I tried doing it myself and it was too much work.
I hope you get through your stuff in your personal life. This interaction has in any case been greatly appreciated by me.
All good, I was just giving context. Thanks though!!
I have been thinking of completely going off Google. I have a Nextcloud server for documents and contacts and calendar. Thinking of moving mail away too. Currently I am conflicted between hosting my own email server. On searching only advice I am getting is not to do it....
During the first decade and a half of this century, young American men devoted a growing amount of time to computer and video games and a shrinking amount to work. In a 2017 paper that received tons of attention, four economists proposed that better games (“improved leisure technology”) were luring young men away from the workplace. In a response that received less attention but that I found more convincing, economist Gray Kimbrough argued that the interaction between weak labor demand and “a shift in social norms (that) rendered playing video games more acceptable at later ages” explained the data better.
It may be time for some new hypotheses. Statistics released last month by the US Bureau of Labor Statistics from the annual American Time Use Survey show that the time young men spent “playing games” — the survey doesn’t differentiate between electronic and non-electronic games, but most researchers assume it’s chiefly the former — rose by nearly three-quarters of an hour from 2019 to 2022, more than it had increased over the previous 16 years. A Big Increase in Gaming Time for Young Men
Average daily hours spent playing games, US men ages 15 through 24* 0 0.5 1.0 1.5 2.0 2010 2020 2003 2019:1.08 hours 2022:1.82 hours
Source: US Bureau of Labor Statistics American Time Use Survey
*Data not available for 2020
I don’t think there’s been a sudden acceleration in video-game quality improvement over the past three years, and labor demand was quite strong in 2021 and 2022. There was, however, a pandemic that brought big layoffs in early 2020 and an extended experiment in remote schooling and work that continued long after that. Amid all that disruption, young men turned to their computers and gaming consoles. So did young women, but from a much lower starting point. The Gaming Gender Gap
Average daily hours spent playing games, US, ages 15 through 24*
Source: US Bureau of Labor Statistics American Time Use Survey
*Data not available for 2020
What are young men doing less to free up time for all that gaming? That’s hard to say with too much confidence: All these estimates are derived from a survey of about 26,400 households that is subject to sampling and other errors, and while the increases in gaming time are so big we can be confident that they represent a real phenomenon, some of the other changes could be mostly noise. Still, it does appear that, since the pandemic, most of the additional gaming time has come from work and sports/exercise/recreation. 1 The Changing Shape of Young Men’s Days
Change in average daily hours devoted to selected activities, US men 15-24 Since 2019 2003-2019 Playing games 0.74 0.51 Sleeping -0.03 0.41 Eating and drinking 0.10 0.16 Computer use for leisure (ex games) 0.05 0.10 Household activities -0.10 0.14 Educational activities* -0.04 0.07 Organizational and religious activities 0.06 -0.14 Sports, exercise and recreation -0.26 0.16 Watching TV -0.04 -0.15 Working and work-related activities* -0.35 0.03 Socializing and communicating -0.03 -0.41
Source: US Bureau of Labor Statistics
*Includes travel time to school or work
Before the pandemic, there was a big decline in the estimated time young men spent socializing and communicating, and smaller drops in the time spent participating in organizational and religious activities and watching TV — with the latter activity, at 2.14 hours a week in 2022, probably destined to be surpassed by gaming soon. Notably, given the academic debate discussed at the beginning of this column, there wasn’t any decline in hours worked. That’s partly because young men’s average working hours rose after the periods examined in the papers discussed above, which seems to lend support to Kimbrough’s argument, but also possibly because both papers examined trends among men ages 21 through 30 while the statistics in all the charts here are for ages 15 through 24, which is how the BLS reports them. 2
The share of men ages 15 to 24 who spent at least some time playing games on an average day topped 50% for the first time in 2022, at 52.4%. Before the electronic era, playing games was often a social activity (bridge, anyone?), and it’s possible that part of what’s been transpiring is that the social aspect of gaming has made a comeback, with a big boost from pandemic lockdowns during which multiplayer online games provided a socially distanced way to spend time with friends.
Then there’s the question of games versus work. The 20-to-24 age group has lagged both teenagers and prime-age (25 to 54) workers in the job market recovery of the past three years, with labor-force participation still down 2.1 percentage points since February 2020 among the men, as of May, and 1.3 points among the women. I don’t think games are really the cause of this, but the big increase in time spent on them could be a symptom of the disruption the pandemic caused for a subset of young adults who had just joined or were on the cusp of joining the labor market, and it’s possible that heavy video game use is making it harder for some to get their lives back on track. Among men ages 15 to 24 who spent at least some time playing games on an average day in 2022, the average time spent was 3.82 hours, which is a pretty significant chunk of the day, and 8% of those in the age group played for six or more hours a day. 3 I think that might be too much!
Don’t worry, though, I’m not going to conclude this column by yelling at the youngsters to stop spending so much time playing video games. How could I, given that young men and their gaming consoles still don’t hold a candle to old men and their televisions? American men 65 and older spent an average of just more than five hours a day watching TV in 2022, up from just more than four in 2003. Senior Citizens Watch a Lot of Television
Average daily hours spent watching TV, ages 65 and older*
Source: US Bureau of Labor Statistics American Time Use Survey
*Data not available for 2020
I don’t think this trend has significant labor-market implications, but the fact that those 65 and older make up a larger share of the US population than ever and are watching more TV than ever probably explains a lot about our strange political era, and also just seems kind of sad. The slight decline in TV time since 2019 is within the margin of error, but the fact that it didn’t grow during the pandemic is at least slightly encouraging. Seriously, my soon-to-be-fellow elderly Americans (I’m 59): stop watching so much TV!
Resources on homelab security?
I am still very much a novice in the self-hosting space, Linux etc. having fairly recently switched from using macOS as my daily driver and not tinkering much at all....
Do any of us host their own email?
I have been thinking of completely going off Google. I have a Nextcloud server for documents and contacts and calendar. Thinking of moving mail away too. Currently I am conflicted between hosting my own email server. On searching only advice I am getting is not to do it....
Young Men Are Gaming More. Are They Working Less? ( www.bloomberg.com )
Archive link