Stupid question probably, but: how can it not be routed through a firewall? If you have it at home, it's behind a router that should have a firewall already, right? And just forwards the one port you expose to the server?
Cloudflare can certainly do more (e.g. protect against DoS and hide your personal IP if your server is at home).
If you plug in a machine at home, it is behind the router, and behind the router's firewall.
If you want more of a firewall locally, something as simple as an EdgeRouter X can get you started easily with this excellent guide: https://github.com/mjp66/Ubiquiti
The nice thing about using cloudflare tunnel, is theres zero ports to expose, ever. The cloudflare tunnel app running on your local machine is what connects out to the internet and takes care of creating a secure connection between cloudflare and your machine.
If you want to forward more than one port to the machine, you could use something like cloudflare to forward to a machine on your home server, and then have the nginx proxy manager or something send the traffic around internally.
It's totally fine to start with cloudflare, and if you aren't already, something like Proxmox (youtube tutorials are pretty quick) gets you up and running and playing pretty quick. Feel free to ask any other questions you like.
One thing I don't really get is why it is "more dangerous" to expose a port on my home IP, versus exposing a port on a Cloudflare tunnel. In both cases, a random user from the Internet can reach my server, and if I host a vulnerable application on that exposed port, it can be exploited.
Right?
In order to host my server at home, but keep it outside my LAN, I have been considering having two routers: a "perimeter" router (not sure if that's how it's called) that connects to my ISP, and my normal "LAN" router. The LAN router does not expose anything, as usual. I connect my server to the perimeter router, so that it is in the "DMZ" between both routers. And on the perimeter router, I expose the port to my server. My idea being that if my server gets hacked, it doesn't affect my LAN. A bit like if my server was on a remote VPS.
And then I can run something like proxmox to separate my different services on my server.
But doing this, I expose my home IP instead of a Cloudflare IP, so now I'm concerned that maybe it is a risk? :-)
- exposes the port to be available for inbound connections from anyone on the public internet. When we use a web browser, it's outbound first which initiates responses.
- with an exposed port, you are that much more at the mercy of your firewalls ability to protect and defend the open port, which becomes more of a consideration.
- some people take additional security steps to only allow certain IPs to connect to the exposed port if it works for their scenario.
Compared with the Cloudflare Tunnel:
- if it's a website, for example, nothing is open to the public at all. The CF Tunnel (or a similar tool) conencts first outbound to Cloudflare to setup a secure link between your home server.
- having this amount of security can make it harder to connect back to your own server for admin - this is where a tool like Tailscale (also free) can be handy, where you can continue to have full secured access to the server, and the public side only has whatever you want to expose to the public internet.
- if there's a port or service in specific you're looking to sort out feel free to ask.
Network design:
- keeping a server at home outside of your LAN is a good idea, it could be a perimeter router. DMZ can mean exposed to the internet without a firewall.
- if you read the guide I posted above, it's sounds like an exact match for what your'e trying to figure out - it achieves it with multiple VLANS to separate traffic rules. The PDF has some nice graphics to break it out - I wish I had somethign like this when starting out. The concepts described in the PDF should be possible on most equipment that exposes the settings, and while I don't endorse a particular product, the Ubiquiti EdgeRouter X for the $50 or so is very capable as a starting point for what you are after to be the main router. In thet case of adding a dedicated router like this, you would have to switch your modem into "bridging" mode to let this be the main router for everything. Wireless access points can then be individually added to it. Alternatively if something like pfSense interests you, their parent company makes Netgate equipment that a lot of people seem to love. Both are well represented and supported on Youtube to learn from as well.
Public facing services routed through a firewall or waf (cloudflare) always.
Backend access trivial with Tailscale, etc.
Stupid question probably, but: how can it not be routed through a firewall? If you have it at home, it's behind a router that should have a firewall already, right? And just forwards the one port you expose to the server?
Cloudflare can certainly do more (e.g. protect against DoS and hide your personal IP if your server is at home).
No such thing as a stupid question.
If you plug in a machine at home, it is behind the router, and behind the router's firewall.
If you want more of a firewall locally, something as simple as an EdgeRouter X can get you started easily with this excellent guide: https://github.com/mjp66/Ubiquiti
The nice thing about using cloudflare tunnel, is theres zero ports to expose, ever. The cloudflare tunnel app running on your local machine is what connects out to the internet and takes care of creating a secure connection between cloudflare and your machine.
If you want to forward more than one port to the machine, you could use something like cloudflare to forward to a machine on your home server, and then have the nginx proxy manager or something send the traffic around internally.
It's totally fine to start with cloudflare, and if you aren't already, something like Proxmox (youtube tutorials are pretty quick) gets you up and running and playing pretty quick. Feel free to ask any other questions you like.
Thanks a lot!
One thing I don't really get is why it is "more dangerous" to expose a port on my home IP, versus exposing a port on a Cloudflare tunnel. In both cases, a random user from the Internet can reach my server, and if I host a vulnerable application on that exposed port, it can be exploited. Right?
In order to host my server at home, but keep it outside my LAN, I have been considering having two routers: a "perimeter" router (not sure if that's how it's called) that connects to my ISP, and my normal "LAN" router. The LAN router does not expose anything, as usual. I connect my server to the perimeter router, so that it is in the "DMZ" between both routers. And on the perimeter router, I expose the port to my server. My idea being that if my server gets hacked, it doesn't affect my LAN. A bit like if my server was on a remote VPS.
And then I can run something like proxmox to separate my different services on my server.
But doing this, I expose my home IP instead of a Cloudflare IP, so now I'm concerned that maybe it is a risk? :-)
Exposing ports on home ip:
- exposes the port to be available for inbound connections from anyone on the public internet. When we use a web browser, it's outbound first which initiates responses.
- with an exposed port, you are that much more at the mercy of your firewalls ability to protect and defend the open port, which becomes more of a consideration.
- some people take additional security steps to only allow certain IPs to connect to the exposed port if it works for their scenario.
Compared with the Cloudflare Tunnel:
- if it's a website, for example, nothing is open to the public at all. The CF Tunnel (or a similar tool) conencts first outbound to Cloudflare to setup a secure link between your home server.
- having this amount of security can make it harder to connect back to your own server for admin - this is where a tool like Tailscale (also free) can be handy, where you can continue to have full secured access to the server, and the public side only has whatever you want to expose to the public internet.
- if there's a port or service in specific you're looking to sort out feel free to ask.
Network design:
- keeping a server at home outside of your LAN is a good idea, it could be a perimeter router. DMZ can mean exposed to the internet without a firewall.
- if you read the guide I posted above, it's sounds like an exact match for what your'e trying to figure out - it achieves it with multiple VLANS to separate traffic rules. The PDF has some nice graphics to break it out - I wish I had somethign like this when starting out. The concepts described in the PDF should be possible on most equipment that exposes the settings, and while I don't endorse a particular product, the Ubiquiti EdgeRouter X for the $50 or so is very capable as a starting point for what you are after to be the main router. In thet case of adding a dedicated router like this, you would have to switch your modem into "bridging" mode to let this be the main router for everything. Wireless access points can then be individually added to it. Alternatively if something like pfSense interests you, their parent company makes Netgate equipment that a lot of people seem to love. Both are well represented and supported on Youtube to learn from as well.