zlacker

[return to "A story on home server security"]
1. smarx0+P4[view] [source] 2025-01-05 13:38:36
>>todsac+(OP)
Docker has a known security issue with port exposure in that it punches holes through the firewall without asking your permission, see https://github.com/moby/moby/issues/4737

I usually expose ports like `127.0.0.1:1234:1234` instead of `1234:1234`. As far as I understand, it still punches holes this way but to access the container, an attacker would need to get a packet routed to the host with a spoofed IP SRC set to `127.0.0.1`. All other solutions that are better seem to be much more involved.

◧◩
2. aaomid+z7[view] [source] 2025-01-05 14:14:35
>>smarx0+P4
Tbh I prefer not exposing any ports directly, and then throwing Tailscale on the network used by docker. This automatically protects everything behind a private network too.
◧◩◪
3. diggan+Ae[view] [source] 2025-01-05 15:14:23
>>aaomid+z7
FOSS alternative is to throw up a $5 VPS on some trusted host, then use Wireguard (FOSS FTW) to do basically exactly the same, but cheaper, without giving away control and with better privacy.

There is bunch of software that makes this easier than trivial too, one example: https://github.com/g1ibby/auto-vpn/

◧◩◪◨
4. eadmun+HO[view] [source] 2025-01-05 19:57:49
>>diggan+Ae
Or you can use headscale (BSD) with the Tailscale client (BSD), which is still FOSS but also very very easy to use.
[go to top]