Inspired by this comment to try to learn what I’m missing.

  • Cloudflare proxy
  • Reverse Proxy
  • Fail2ban
  • Docker containers on their own networks

Another concern I have is does it need to be on a separate machine on a vlan from the rest of the network or is that too much?

  • Chewy@discuss.tchncs.deEnglish
    1·
    27 days ago

    Some I haven’t yet found in this thread:

    • rootless podman
    • container port mapping to localhost (e.g. 127.0.0.1:8080:8080)
    • systemd services with many of its sandboxing features (PrivateTmp, …)
      • Chewy@discuss.tchncs.deEnglish
        0·
        24 days ago

        Yes. 127.0.0.0 is the localhost. This is the IP the container is listening on. Even if there was no firewall it wouldn’t allow any connection except from the host. If it’s set to 0.0.0.0 it means it’ll allow connections from any IP (which might not be an issue depending on your setup).

        The reverse proxy runs on localhost anyway, so any other IPs have no reason to ever have access.

        • ocean@lemmy.selfhostcat.comOPEnglish
          1·
          20 days ago

          Yes. 127.0.0.0 is the localhost. This is the IP the container is listening on. Even if there was no firewall it wouldn’t allow any connection except from the host. If it’s set to 0.0.0.0 it means it’ll allow connections from any IP (which might not be an issue depending on your setup).

          Thanks for explaining this!