Yes, that’s the idea, that everything needs to go through opnsense, where I manage who’s allowed to go where. The question now is how to determine if the front door lock is safe, so that nothing can leak through because I misconfigured nat or VPN or something
SomeLemmyUser
- 2 Posts
- 11 Comments
Well I have separate subnets for separate vlans. Connections between them get blocked by the firewall by default from my understanding, but to be safe I explicitly deny all outbound AND inbound connections, so I have to make a rule for each of two subnets if I want inter subnet communication, which is the case for the shared media server. If I do that I whitelist which IPs can reach which IPs on the different subnet. There still is the problem that different clients on the same network can "steal"the IP of other clients with more permissions. That’s why I asked about authentication
I tried that a little, but my problem was that there was to much stuff going on in the network for me to understand and review all. I am currently not reachable at all from the big internet, only local server access and I only get working connections if I rset an IP corresponding to the vlan I am in, but unify broadcasting, Nat, VPN, etc. Make a lot of connections and connection attempts internally I dont understand.
Problem with no client authentication is that the network is used by multiple separate households not necessary trusting each other, and some now want to host servers to the public, which would mean lots of untrusted traffic. I am concerned if they dont handle their security right and have access to for example our shared media server, they could scrape ip-mac address pairs to get deeper in the network. Any thoughts on benefits and lows of 802.1 vs. Radius?
Okay, yeah i do look at the reporting to Register things that look off, but I am not sure I recognize everything that IS off.
Generally I keep outbound and inbound completely closed except for the connections I need, which I manually allow for in the rules for each subnet. for the client WiFi I have a alias with all private (ipv4) ranges, and a rule that allows outbound to anything but that (so only connections to “the internet” not to stuff in my network.
Radius is the thing I at least came across a few times in my settings, from what I understand I would need a dedicated radius server all can reach an authenticate against right? At the moment I only have a bare metal Debian server for the self hosted unifi controller, maybe I could learn proxmox and do radius and unifi in different VMs on that machine.
What would the tailscale option mean? I have heard about it (but mostly mentioned in combination with arr stacks, which I dont have, so I never looked at it. What does it do? What are the benefits over for example radius?
Okay, so radius/tailscale for client networks, for iot I rely on subnet separation would be your advice?
SomeLemmyUser@discuss.tchncs.deto
Steam Hardware@sopuli.xyz•Can I Hotswap A Steam Deck SSD Into the Steam Machine?
5·2 days agoThere could be driver issues for the difrerent Hardware devices, most likely it will run just fine, but you may have performance impacts you later dont know where they are comming from. Reinstalling is the safe way, if you dont want to redownload all games, you can copy the steam games folder
SomeLemmyUser@discuss.tchncs.deto
Selfhosted@lemmy.world•Safely exposing services to the InternetEnglish
1·22 days agoWell, i never argued against the clearly powerfull capabilities, those are obviously huge, my point was that as a hobbyist you should consider having the important stuff (finances, official documents, biometrics) in cold storage or on a separate machine as well as stuff like security cameras or doorlocks if you do stuff like this out of it until you fully understand the risks, which are not that easy to grasp for people without experience.
Ofc proxmox and qubes are incredible useful tools of technology, but their high versatility and customizability gives you a lot of tools you need understand and use properly on top of what you are already doing. (More so with proxmox as with qubes, qubes is a little less industry focused IMHO)
SomeLemmyUser@discuss.tchncs.deto
Selfhosted@lemmy.world•Safely exposing services to the InternetEnglish
1·22 days agoValuable insight, thanks :)
SomeLemmyUser@discuss.tchncs.deto
Selfhosted@lemmy.world•Safely exposing services to the InternetEnglish
1·23 days agoWhy is a hypervisor the best we got? Why would better than a dedicated bare metal server? Why would the attack surface if a hypervisor be smaller than the attack surface without one?
Honest question
SomeLemmyUser@discuss.tchncs.deto
Selfhosted@lemmy.world•Safely exposing services to the InternetEnglish
1·23 days agoThanks for evaluating! The exploit was explained to me that an unpriviliged user/Programm could use it to get root access on the whole system, which I my mind included the hypervisor. Further reading seems to proof you right, while containers were broken VMs were not.
My point still remains, although weaker: If you know exactly what you are doing you can get a system quite secure, if you are a hobby server owner like me, its not that easy. I would have not know that the use of VMs instead of containers has sooo major security implications, that something so fundamental as ssh could be exploited in such large scales, and clustering would have been needed to avoid being unsafe.
Sure, noone would use an zero day on me targeted, the thing is: I am not working in the field, from publishing of the exploit till learned about it and had the time to patch, there were a few weeks. If in those few weeks someone deploys a tool going for mass and not for single targets, I would probably be infected and added to some botnet, cryptominer or whatever.
If I have a bare metal dedicated server, which has only access to IPs contained in my whitelist on a dedicated opnsense, I have less to wory about. Sure, someone could still find a openbsd/opnsense exploit and get me, but my point is: complex systems break in complex ways, the more complex systems you use, the more attack surface u have, need to know and understand to control and mitigate it.
Not that its impossible, but for a hobbyist who tries to self teach with man pages, tutorials and forums, you can get pwnd in unexpected ways (like because you used a container for dodgy Chinese smart home devices and expected that your production environment would be safe even if one of them was malicious, but in fact you were not, because that would have needed to be a VM. AND: before copy fail was published, users would have probably also told you that containers are safe.
SomeLemmyUser@discuss.tchncs.deto
Selfhosted@lemmy.world•Safely exposing services to the InternetEnglish
61·28 days agoI was going to build my system like that, but recently learned that host client isolation is not as strong as people make you believe.
just a few weeks ago we learned that copy fail (security vulnerability) was on major distros for years until it was fixed, it would allow containers and VMS to infect the host system. Xz utils could also lead to a broken host client separation, as proxmox uses ssh for clustering and the like.
So for really important stuff I am going to have a dedicated physical server or put it in cold storage altogether.
That said, I am by no means an expert so feel free to correct me if I got something wrong.

Okay, maybe I’m misunderstanding something, but my thinking goes like this:
In my mind I could prevent this with authentication, as I could force a device to have a keyfile or something in order to use that IP address. So the bad actor would at least first need to get access to the real device and steal the keyfile in order to spoof it. Which (in my mind) is way harder than iterating through all Mac addresses and testing which addresses get which IPs with which permissions.
The issue i want to solve (with this part) would basically boil down to: securely giving different permissions to devices on the same network/subnet.
The only other way I would see would be to buy more APs so there is a separate WiFi for every set of permissions I want to give out, so spoofing Mac addresses becomes irrelevant.