Block acces to public IP. Allow only access via CloudFlare

I’ve setup YunoHost domain so all access to is ruted through Cloudflare.

What is the best way to block all access to my public IP, and force traffice through Cloudflare?

Hi patpatterson,

Welcome to the forums!

When you opened your thread there was a bunch of letters in the screen that comprised a helpful message, which would have helped forum members to help you. Lacking that helpful information, it is difficult to say something useful.

In general: blocking access is done in firewalls.

Not sure if I understad the case here?
I just typed the message as I use to on other discoruse forums.
(Perhaps not the best title tho…)

Ok. Is there a reccomended way to set it up?
Does any firewall work fine along yunohost or is there a reccomended one?

Hi pat,

My bad, and apologies. I see that the “Discuss”-category has a different (= no) template than the “Support”-category.

The template in support asks some specifics about your installation, so that

  1. people can help you with your situation
  2. future readers can see whether it applies to their situation

A topic asking support on how to set up access restrictions is usually found in the support category, I did not pay attention. I hope I did not give a very blunt impression on your first visit!

Depending on your situation (is your Yunohost at home or in a datacenter, running widely accessible or behind an external firewall) you would configure the external firewall or extend the built in firewall.

There was an earlier thread about dropping connections not from a specific IP, with @TheNomad11 having suggestions on how to configure that

I have not used Cloudflare (from a ‘serving’ perspective). Out of interest, why would you only allow connections via Cloudflare?

1 Like

if i am not mistaken.

as long as the proxy option (orange) is on while setting up DNS then nothing goes directly to you. its is served by cloudflare, however that would also mean that cloudflare can decrypt and encrypt traffic as they see fit (as connections would use cloudflare certs and not your own)

1 Like

Sorry, I missed your reply.

I’m hosting at home on my own equipment.

I already had the domain at Cloudflare. And I’m all new to exposing my services to the web in this way.
I used a cloudflare tunnel on the domain prior to this.
I figured Cloudflare could bring some security. But if someone accesses my IP direct the cloudflare security measures is omitted. Or?

I may be both wrong and paranoid…

Yeah. But does this count when accessing the IP directly?

cloudflare will always have your ip. how they know where to send traffic. if you set the dns to orange they redirect who asks for your domain first to one of their proxies (not you) and then to you (so they don’t have your ip)

if you type into your browser YOU (and anyone else on your local) will be able to see what it is.

there are ways to make it harder to access locally if at all but i am not all familiar with yuno to say how. as i run it in an unraid vm.

I’m out of my depth regarding Cloudflare. As I am all for decentralizing the Internet and improving privacy, using Cloudflare is at odds by becoming a silo for a large part of internet traffic and by decrypting all traffic at their entrypoints.

That aside, as far as your ISP-provided, public IP:

  • everything on the internet is continiously scanned and under constant attack.
  • that is the case with or without services running on your IP, and with or without Cloudflare

Depending on the configuration in Cloudflare, and the corresponding configuration in your router, you will or will not see this activity on your Yunohost.

To use Yunohost without seeing constant knocking at the door, you would not follow the recommendations for opening ports on your router. Instead, you’d look for a tutorial to tunnel traffic from a public ingress point at Cloudflare to your LAN (from your description and my lack of knowledge, it is not clear to me whether you already had such a tunnel, or an outgoing tunnel via Cloudflare).

The ports that the various applications need, have to be configured somewhere at the Cloudflare side.

Nothing wrong with being paranoid :wink: In either case, Yunohost is built for being used on the Internet and has a quite strict firewall built in, separate from the firewall (if applicable) in your router.

Thank’s a lot for good and clarifying answares. :+1:
I’m new to this, and find it difficult to know what is enough security.

I totally see the point on decentralizing.

I interpret it as cloudflare proxy not neccecary brings any important security measures regarding intrusion to my system. (Compared to hosting the domain another place.)

@wbk Does Yunohost alert user somehow on suspicios activity?

I understand your worries, especially because it is difficult to ‘see’ what is actually happening at router/server level (as opposed to, say, someone walking into your garden and looking into your window).

Somewhat. One of the alerts on the diagnosis page goes into this, but it is difficult to say what is suspicious. The alert I am referring to says something along the lines of “There were many failed logins from various places”, which implies bots or people trying default/leaked credentials to try to log in. Diagnosis suggests to check whether fail2ban is running.

Fail2ban is a one-size-fits-all security measure, that blocks access to your server from a certain IP if there have been a certain number of failed logins from that IP (banned for 10 minutes after, in the default Yunohost configuration, 5 tries).

Other hints in the diagnosis are on app-level and on service level: whether the app is packaged according to Yunohost guidelines, whether the configuration has changed and whether it is the latest version; for the services (such as fail2ban) it is checked whether they are running in the first place.

If anything in the diagnosis is out of order (the above, but also the other checks), it will send you an email notifying of that (but you might have noticed by now, if your server has been running for a while :slight_smile: )

Thanks for taking time. It is nice to have things explained in an understandable matter.