Black hole 80/443 in firewall.nix CJ

2023-06-13 07:06:44 -04:00 · 2023-06-13 07:06:44 -04:00 · b7c65ba37d
commit b7c65ba37d
parent d436285423
1 changed files with 9 additions and 2 deletions
--- a/machines/cj/firewall.nix
+++ b/machines/cj/firewall.nix
@ -7,13 +7,20 @@
    #8123  # home-assistant
    #3000  # gitea
    8081  # vaultwarden
-    80 443  # reverse proxy
+    # If we are reverse proxying we should map to a different port than 443 or
+    # 80. Here we blackhole those ports so that pihole will be more efficient.
+    # When pihole "blocks" a site, depending on configuration what it may really
+    # does is returns its own IP, so the client then requests the content from
+    # this node at whichever port it needs. That is usually 80 or 443 for http
+    # and https, so it's better to block these fast than to pass all that
+    # traffic to some actual service.
+    #80 443  # reverse proxy
  ];
  allowedUDPPorts = [
    22000 21027  # syncthing
    3478 5514 10001 1900 123 # unifi
    53  # pihole
-    80 443  # reverse proxy
+    #80 443  # reverse proxy
  ];
  allowedUDPPortRanges = [
    { from = 5656; to = 5699; }  # unifi