homebox icon indicating copy to clipboard operation
homebox copied to clipboard

Published 20 hours ago verified publisher icon progmaticltd

Restrict internet access from the box to the minimum

Open arodier opened this issue 5 years ago • 3 comments

Ideally, the box should only have access to a few internet sites, all the rest being blocked and logged. For instance, access to Debian repositories, ClamAV updates, rspamd repositories, etc.

  • A whitelist / blacklist proxy, like tinyproxy might be enough.
  • Adding appropriate firewall rules to automatically redirect the traffic to the proxy might be interesting.

arodier avatar May 13 '19 09:05 arodier

I may need to switch from ufw to iptables

arodier avatar Oct 13 '19 19:10 arodier

I have a shorewall based ansible role that I forked a few years ago that I've been using continuously on multiple servers, and even my home router with great success:

https://github.com/senorsmile/shorewall_simple

senorsmile avatar Jan 02 '21 07:01 senorsmile

Perhaps we can use nftables, on bullseye, for this. Since some components are optionals, using ansible to deploy nftables scripts, and include them in one parent script seems to be the right approach to me.

arodier avatar Jan 02 '21 09:01 arodier

Implemented

progmaticltd avatar Dec 24 '22 07:12 progmaticltd