I would highly suggest using a separate VLAN at the minimum directly off your firewall, and at the ingress of your firewall put rules in blocking any traffic from the server to the rest of your home. You can always allow ssh from your work env to the server, but block unsolicited traffic from the server to your home. I’d also suggest potentially leveraging a secondary public IP if you have service that will give you a block of IP addresses for a fee. It would be worth it to just keep your home separate from any denial of service type attacks directed at your lemmy instance.
Got it, thank you. I'll look into the 2nd static IP from Comcast. That is/ was one of my major concerns. I don't want my whole home network going down if someone decides to dos it
A second IP on the same connection and router will not prevent the other IP from being affected by a ddos. A ddos is meant to either saturate a connection or overload a device. Since you will be using the same connection and device, a second IP will not help with this.
Turns out I don't have access to a second IP anyways; Only available for Businesses from my ISP :( thank you for the reply
you cannot prevent communication between clients within the same VLAN.
Can't you use a firewall for this?
Anyway, my guess is it's probably better to use a separate vlan or a DMZ for that. But given my poor security experience, others can probably better help you on this one
To my knowledge, devices within a VLAN can see eachother, because they do not cross the firewall (since they are layer 2). I may be wrong, but that's my experience and what I've read.
You can use host firewalls or l2 firewalls (sometimes called transparent mode). Many hypervisors offer l2 firewall features. You can also enable l2 isolation on some network devices.
Yeah, the usual approach is to create a DMZ network/VLAN where you forward external traffic to, but you can’t reach anything except the internet from.
Is just exposing it via a Cloudflare Zero Trust tunnel enough for security?
(Serious question that I don't know the answer to, as this is what I'm currently considering for a project.)
From what I've read about Cloudflares Zero Trust Tunnel thing it's actually more secure than hosting it with a public IP address.
To be clear I haven't done it. So idk for sure. But it sounds like they use some kinda 2fa system to get to your services, you don't expose a public IP, and it's all behind Cloudflares service. Which is great for security. If you trust Cloudflare. I trust Cloudflare, but some folks might not.
I might check this out as a weekend project tho. See how it differes from my setup with vlans, VM's, firewalls and fail2ban.
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!