sec: trusted interface does not require openfirewall ports #2

New issue

Closed

opened 2023-06-24 18:40:33 -04:00 by Ghost · 3 comments

Ghost commented

2023-06-24 18:40:33 -04:00

ef82734585/hosts/sora/services/uptimekuma.nix (L2)

_: {
  networking.firewall.allowedTCPPorts = [4000];
  services.uptime-kuma = {
    enable = true;
    settings = {
      HOST = "100.87.54.48";
      PORT = "4000";
    };
  };
}

since you're binding to 100.87.54.48 there's really no reason to open the firewall if your reverse proxy has a tailscale interface on it or your desktop/laptop has tailscale interface.

tailscale is an overlay/flat-layer-2 network. the only firewalling is using the acl's

in traefik you would just set the service lb to 100.87.54.48 and call it good.

of course leaving it will not hurt anything, but it's just extra config that's likely not needed.

https://git.notohh.dev/notohh/snowflake/src/commit/ef82734585759868abe0cc5ec3f7a81e6bcc4914/hosts/sora/services/uptimekuma.nix#L2 ```` _: { networking.firewall.allowedTCPPorts = [4000]; services.uptime-kuma = { enable = true; settings = { HOST = "100.87.54.48"; PORT = "4000"; }; }; } ```` since you're binding to `100.87.54.48` there's really no reason to open the firewall if your reverse proxy has a tailscale interface on it or your desktop/laptop has tailscale interface. tailscale is an overlay/flat-layer-2 network. the only firewalling is using the acl's in traefik you would just set the service lb to 100.87.54.48 and call it good. of course leaving it will not hurt anything, but it's just extra config that's likely not needed.

notohh commented

2023-06-24 18:57:39 -04:00

Owner

uptime-kuma isnt proxied on sora just yet, so this does need to stay open for the time being. will close once its proxied though.

notohh closed this issue

2023-06-24 18:57:44 -04:00

notohh commented

2023-06-25 11:22:07 -04:00

Owner

when i close 4000, i actually cant access the dashboard for uptime-kuma from tailscale, but can access status.notohh.dev.

when i close 4000, i actually cant access the dashboard for `uptime-kuma` from tailscale, but can access `status.notohh.dev`.

notohh reopened this issue

2023-06-25 11:22:07 -04:00

notohh commented

2023-09-01 12:57:39 -04:00

Owner

closing this now, reopening 4000 since i cant seem to access the dashboard from anywhere when its closed. status.notohh.dev is only a frontend and cant actually control anything, which is why i need to be able to access the dashboard

closing this now, reopening 4000 since i cant seem to access the dashboard from anywhere when its closed. `status.notohh.dev` is only a frontend and cant actually control anything, which is why i need to be able to access the dashboard

notohh closed this issue

2023-09-01 12:57:39 -04:00

No milestone

No project

No assignees

2 participants

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: notohh/snowflake#2

No description provided.