Octopi firewall rules


#1

As i have my pi port forwarded for remote access, i thought about turning on and configuring the Uncomplicated Firewall (UFW), but as im still a linux n00b, didnt really know how to configure it and worried i would block myself in the process lol.

Anyone setup the UFW?
Got some recommended settings? (will need n00b proof steps too please)


#2

The preferred way of locking down an octoprint server is to set up a VPN, and allow access to the VPN from the outside, which would grant access to your inside network.

If you were to set up a local firewall, it should be to restrict outside access to specific IP addresses (work, school, or any other static ip address). Having a dynamic IP Address (someone elses home, mobile, etc) would be a problem as you would need to get in and reload your rules for the new site. You might be able to get away with a dynamic dns service, but that would still be annoying to set up and may still need firewall rule reloads.

If you do not plan on doing this sort of restriction, there is no difference in letting your router handle the port redirection (which adds a basic hardware firewall) or enabling a software firewall. I would also strongly suggest NOT putting the pi in the DMZ of the router, otherwise you WILL need a software firewall up.


#3

I think that loclhst is probably right and if you aren't sure about setting up system level things in linux, maybe you don't want to start with something that a malicious actor could use to try to set your house on fire.

But if you (or anyone else reading this post later) do decide to let your Pi handle its own security, https://www.raspberrypi.org/documentation/configuration/security.md looks pretty good. I was going to say you should also run fail2ban and I see they've got that covered, too.