I am still very much a novice in the self-hosting space, Linux etc. having fairly recently switched from using macOS as my daily driver and not tinkering much at all.
One of the things that often confuses me is networking and making sure my setup is secure. This is currently holding me back from hosting more stuff locally that I would require access to from outside my home, as I am afraid I am doing something that could severely compromise my data. It can sometimes be difficult to follow explanations from more advanced users due to the many different components of networking and security, and different layers of abstraction, which prevents me from following completely. I might understand one particular case, but then be unable to make connections to another one. So I would want to research this more intensively, and ideally I would end up being able to easily understand the data flows - the paths the data takes (e.g. I make a HTTPS request to some server from my laptop, how is that traffic routed correctly through my local area network and later the wide area network), in what forms (i.e. different protocols, encryption layers etc.).
In communities like this, I see there are a lot of very knowledgeable people who maybe could recommended any resources that cover this from the basics and onto more advanced stuff? Maybe a textbook from a university course on ICT that is considered particularly good? A YouTube channel with great explanations and visualizations? I am looking both at home LAN and internet in general. Enterprise level networks are not very interesting to me (at the moment).
Check this out https://taggartinstitute.org/p/the-homelab-almanac. (Shoutout once again to @mttaggart@infosec.town .)
Nice, the TOC seems promising for several of the things I am looking to learn more about.
This looks amazing!
The table of contents hints there is only one section relevant to security, Lab Firewall Config.
Anyone have experience with this book that could vouch for other chapters that explore best practices for security?
The Homelab Show frequently explores the topic of security in a homelab. I’m a big fan of Jay LaCroix, since I learned how to use Proxmox from his fabulous Proxmox course. They touch on security from the broad to the specific, and talk about incidents, as well. You do have to search through it to find the episodes where security is a topic, but they are there.
Sweet, thanks for the tip. I also have learned a lot of Linux basics from Jay through LearnLinux TV. Good educator. Did not know about The Homelab Show though, so I will definitely check that out.
Honestly start by thinking about what has access to what. From there you can focus on least privilege which will involve firewalls, vlans and isolation
nothing wrong with being self taught, you could follow these basics topics before poking holes in firewall.
- VLANS: learn how to separate your LAN into networks with different security requirements. For wireless, try to make a “main” and “IoT” network so that IoT network that can’t talk to your “main” network but “main” can reach IoT devices. For wired, try to have a Management network, and a “Dirty network” etc.
- Firewalls and Routing: You will need to be able to route between your VLANS and set firewall rules to allow certain traffic. Best practice is block everything and allow only what you need.
- NMAP: learn how to do NMAP scans of your network to discover hosts and their open ports/services. This is a similar approach that “hackers” and script kiddies use on the public internet to find vulnerae and open services. Being able to probe your own network is crutial in understanding how others might approach in penetrating it.
- Wireguard VPN: Learn to access your network remotely by setting up a wireguard VPN. Wireguard is preferred because it is “stealthy” and will not respond to unsolicited attempted to probe your network. Start small by using wireguard to access between VLANs so you don’t run the risk of using the internet.
- NGINX and Reverse Proxy: If necessary, learn to expose your services or blog or website by only exposing nginx and proxying to your services. Many guides on securing NGINX exist. Try not to expose anything, but sometimes necessary if you want others to reach your website/blog/hosting etc.
That’s a rough outline that you can use to guide yourself and achieve milestones with hands on experience. In your pursuit you’ll run into certificates and domain name hosting and stuff. But all this is on the web so let your curiosity (and paranoia) drive! Have fun!!
Reading is fine and all, but in my experience of learning about networking and security, I have always learnt the best when I have a need for it.
Let’s take the example you posted on your post. Now, we know that HTTPS is important so that nobody has access to the traffic you’re forwarding to the Internet. Encryption usually just requires two things: the data (your traffic) and a key to encrypt it.
When you’re visiting a website with a valid certificate, it sends its public key and the valid certificate to your browser. Your browser validates that the website you’re trying to visit seems OK (not sure about the internals of the process), and encrypts your traffic with the public key of the website.
The website can now decrypt your traffic with its private key. Nobody gets to snoop on your data (but they do get to snoop on your metadata, which I’ll come to in a bit). That’s how the process works, and I have essentially provided an overview of the TLS handshake in my explanation.
Why did I say that your data isn’t exactly secure even though you encrypt it? Well that’s because your metadata isn’t encrypted yet. It is only recently that the masses are picking up on ECH and ESNI (SNI - server name indicator; this is the DNS record of your request, which means your ISP knows which website you went to, but it doesn’t know what you did on said website). With that said, I was talking about the broader Internet, which seems to be out of scope for this discussion.
Let’s talk about another use-case of TLS in your homelab, since we’re on the subject.
Problem: you want to find the padlock symbol on your browser every time you visit an internal website, but since you’re using plain HTTP on your network, your browsers considers it fit to annoy you with a warning that your destination might be a malicious website (it’s not, unless you don’t know what you’re hosting).
Immediate solution: use a reverse-proxy! Most reverse-proxies have integrations with certificate automation software (certbot FTW) which handles TLS on the client side and deals with the warnings (if you have understood the paragraphs that I have written till now, you will understand why this is the case).
Background: Have you heard of reverse-proxies? If not, a bit of reading on Wikipedia should do the trick, but basically, reverse proxies map a subdomain (slight understanding of DNS is required for this since certificates and DNS are tied closely) to a specific IP and port. This is important if you’re hosting containers on a single machine since the only way to reach out a specific container is through the combination of IP:Port, but who wants to remember random numbers? Too lazy to do that.
Question: why not just use my DNS server to map subdomains and IPs? This might not be obvious to everyone if you don’t know about DNS and its limitations (in this scenario).
Let me know if you’re facing issues with anything that I typed here. It’s a long, long journey (I’ve been learning for years now and I still don’t get things right), but you’ll get there. Just take your time, make sure to not get overwhelmed, and you’ll make it.
Cheers
textbook from a university course on ICT that is considered particularly good?
IMO, text book covers more on theory. Generally text book are outdated when it comes out due to relatively longer time required for preparation and publishing.
But a lot of the underlying technology is unchanged for a long time, right? So to get a deeper grasp of e.g. different protocols and data flows, I imagine it could at least be a good starting point.
The Wikipedia-article on the Internet protocol suite of course provides a lot of information on this, but my issue with learning from Wikipedia is that it provides a long article on one topic with tons of links, but often no natural flow to the next topic. This could lead to reading up on things in the wrong order, making the learning process more difficult that it has to be. A text book on the other hand, if written well, is more a curated set of texts that introduces topics in a logical order, so that a topic is not introduced until the required prerequisites have already been treated.
A YouTube-channel (or perhaps rather a YouTube-playlist) can also provide such a curated set of material, although in my experience these videos can often be a little to superficial to get any proper understanding of the subject. There are of course exceptions.
Your have a point.
In addition to the textbook, check out certificate oriented book like network+ and security+
I use wildcard tls certs and wildcard dns records for my domains. this ensures that no service can be easily accessed unless you have full domain name. For example If you have plex and deluge then you have to set dns records to plex.abc.xyz and dns.abc.xyz. This can be seen by anyone else trying to find vulnerabilities. But if you have wildcard certs/dns, all anyone can see from outside is *.abc.xyz, only the reverse proxy (eg nginx) knows the domain.
Don’t forward any ports unless you have to. Don’t run any service on 0.0.0.0 unless you have to. Incoming ports on the internet can be super dangerous.
A safe way to do self hosting is with WireGuard, just setup a wireguard container on the server then you can access all the services anywhere when connected from a client without exposing any tcp ports.
For connections why not try traceroute? mtr traceroute
To see things within a packet you can use WireShark.
I know nothing about networking or security. What has helped me was going to the library and checking out any books they have on networking and security. I don’t actually read the books through, I scan them for terms I’m not familiar with and just read about those. It has helped me a lot more than trying to find it online or ask specific questions on forums. There’s so many books and info, I mean people go to college for this stuff. Even the “for dummy” books are a useful resource.
For homelab, start with the absolute basics - setup a firewall, and make sure you understand how it works! Map out your network topology, even if it is just your DSL box, router & your PC + printer with a raspberry pi (or 2) for your project.
After you’ve made absolutely sure that the outside world can only get in where you’ve let it, then you can focus on having good application-level security; unfortunately this is really case-by-case.
As for resources, I would start with YouTube - you tend to get to focus your learning a bit better and spend less time searching for something relevant (as you mentioned, enterprise tends to be the focus, because they’re often the main targets of network related attacks). For more depth, but not crazy detail, try the O’Reilly books or similar on networks & related security topics (there are a few!)
For homelab, start with the absolute basics - setup a firewall, and make sure you understand how it works! Map out your network topology, even if it is just your DSL box, router & your PC + printer with a raspberry pi (or 2) for your project.
Hehe, yeah, but even here I run into a large forest of terms and concepts. For example (the questions are only examples of things I stumble upon in this process, not questions addressed at you): “Setup a firewall” - on my server or on the router? Or both? And since my router is provided by my ISP which has its settings exposed through their online portal (which I hate the thought of), how does that factor in? What use is a router firewall if someone gains access to this portal and can configure at will? Can I set up the router in bridge mode and incorporate my own router, and thus have complete local control of my network? Couldn’t someone simply deactivate this in the online portal if they gained access there? And if I open ports in the firewall for a specific application, what risks am I running outside of exploits in the applications themselves? For example, I have opened a port in the router settings for torrenting Linux ISOs (for a specific local IP) - could traffic through the same port be used to compromise the network in other ways? etc. etc.
Suddenly I have fifteen questions. So when trying to research the answer to these questions, I often get slapped with five concepts I either barely have grasp of or don’t know at all in one sentence that tries to explain what is going on. It’s not that it is impossible to learn this way, but it tends to quickly become overwhelming, and I run into explanations of concepts I don’t have enough prerequisites to learn properly yet. Which is why I am trying to get a coherent introduction to all the topics in a sensible, curated way to beef up my understanding of it, so that the research process becomes easier.
For more depth, but not crazy detail, try the O’Reilly books or similar on networks & related security topics (there are a few!)
Cheers, I will have a look to see what I find :) Sounds very much what I am looking for.
One more thing - install Wireshark and get a real-time view of what your network is doing. Massively helpful tool.
I have been meaning to install it to learn more about the structure of the packages that are sent and received. Thanks for the reminder.
“Setup a firewall” - on my server or on the router? Or both?
Both. Access from the internet to your devices is protected from your Router. You should only ever open ports to things you want to access outside of your house. For example, a website on TCP 443 is a good thing to allow. Database access on TCP 3306 is NOT something you want to access from the internet.
Internal to your network, you can open up the Database port on TCP 3306 if another computer in your network needs access to it. Don’t leave it open for no reason.
And since my router is provided by my ISP which has its settings exposed through their online portal (which I hate the thought of), how does that factor in?
Is it a private IP Address you use to access (IE http://192.168.0.1 or is it some other thing?) If it’s a private IP address, that’s standard and is no problem. I’ve never heard of logging into something like a public website to open ports on your router.
What use is a router firewall if someone gains access to this portal and can configure at will?
If someone has access to your Internet Providers firwall/router combo device thingy, then it’s game over. they can open any ports, do anything they want to it. However, this is unlikely. Make sure to keep your Router up to date and only open ports that you know what they’re for 100% and what they do. NEVER allow access to the admin panel from the internet (WAN port). Though, if you need to use their public website (which I doubt) then it’s moot and you cant do anything.
Can I set up the router in bridge mode and incorporate my own router, and thus have complete local control of my network?
Yes, if they support it. This is what I do and that’s exactly what’s it’s for.
Couldn’t someone simply deactivate this in the online portal if they gained access there?
Sure but this would give them access to your Providers firewall, which you have your own firewall plugged into so it doesn’t matter. You will still be protected by your self provided firewall, some things will stop working (you’ll be double NATed so public services might not work) and it’ll be a clue someone changed something on your Providers firewall.
And if I open ports in the firewall for a specific application, what risks am I running outside of exploits in the applications themselves? For example, I have opened a port in the router settings for torrenting Linux ISOs (for a specific local IP) - could traffic through the same port be used to compromise the network in other ways? etc. etc.
Yeah, so if you open no ports. you block everything… The only exposure (of people trying to connect to you) is the firewall/router you have sitting there watching what goes on. Keeping this up to date is VERY important and they have pretty good history of not being hacked so I’d say you’re safe. For each port you open you add a service that people from anywhere in the world can talk to. So, if you open port TCP 443 and have Nginx or a website answering requests, you now need to make sure this is as secure as possible. ANYONE ANYWHERE can talk to it. If a exploit is found in Nginx/your website then it can be used to get access into that computer, From there, they are on your computer and can see anything that computer has access to. If you have 2 ports open. IE website + Torrenting, Now you have two things you MUST keep up to date because anyone can talk to them and exploit them to get into your computer. This is why you MUST know what is open to the internet and what it’s doing. The more things you have the more options you give hackers to get in.
Suddenly I have fifteen questions. So when trying to research the answer to these questions, I often get slapped with five concepts I either barely have grasp of or don’t know at all in one sentence that tries to explain what is going on. It’s not that it is impossible to learn this way, but it tends to quickly become overwhelming, and I run into explanations of concepts I don’t have enough prerequisites to learn properly yet. Which is why I am trying to get a coherent introduction to all the topics in a sensible, curated way to beef up my understanding of it, so that the research process becomes easier.
I would do what they said. Start small and at the first point of contact. Understand what is plugged into the internet (ISP Router) and all the settings on it. Understand what NAT means, understand how to open ports, etc. Then start small, Set up a computer and make sure you know what ports are open. If you want a website set it up so it works internally, test it, maybe port scan your server (with nmap or something) to see what’s open and understand what they’re for. Close the ports you don’t need open then you can consider opening it from the internet.
the most important thing is keeping it up to date and only open what you need access to.
A side point is, if it’s just you that needs access to it, consider a VPN (wireguard) or overlay network (tailscale) so you only need to open one port and that will give you access to everything you need in your network.
Wow, I didn’t expect anyone to actually answer the questions, but it is very very appreciated. Thanks a lot for taking the time to do so.
Both. Access from the internet to your devices is protected from your Router. You should only ever open ports to things you want to access outside of your house.
Ok, good. So the firewall is already configured to block everything as far as I know, except for what I explicitly allow which for the time being is only my torrent client on two different machines (randomized ports).
In a homelab setting, I believe what I want to do is expose one port to a reverse proxy and redirect traffic to local services from there. But this is one of the things that I am uncertain about because I don’t entirely understand how this works. In my head: I open port 8080 where e.g. Nginx Proxy Manager listens. This is the only port anyone can gain access to anything inside my home network, and the proxy manager will say “Hey, this traffic should be redirected to port 8096 and this traffic should go to 4533”, but no direct connections to these ports can be made from outside my own network as they are not exposed. I am vulnerable only to the extent that there is an exploit in the proxy manager itself or the services. I intend to run all services in Docker containers, so they should not have access to anything else on the server, and the volumes that are mounted are ideally read-only (but that cannot always be the case). It sounds safe enough, but again, since I am not entirely certain that my understanding is correct, there might be a massive gaping hole somewhere I am unaware of.
Is it a private IP Address you use to access (IE http://192.168.0.1 or is it some other thing?) If it’s a private IP address, that’s standard and is no problem. I’ve never heard of logging into something like a public website to open ports on your router.
No, it is https://wifi.myisp.tld. It seems to require being connected to the WiFi to work. If I’m connected to a VPN or through mobile, it will give me an error. With my previous ISP, it was a simple login with username and password with a SMS 2FA. I never attempted to login from elsewhere then, so it might’ve been likewise protected. In any case, they do it like this so that less tech-savvy people can have the support perform any necessary changes on their behalf instead of trying to guide them by phone through the local web interface. So it can be accessed without being connected to the WiFi, but I guess there are larger problems if the ISPs system has been compromised to allow this somehow.
Yes, if they support it. This is what I do and that’s exactly what’s it’s for. Sure but this would give them access to your Providers firewall, which you have your own firewall plugged into so it doesn’t matter. You will still be protected by your self provided firewall, some things will stop working (you’ll be double NATed so public services might not work) and it’ll be a clue someone changed something on your Providers firewall.
Yeah, they support bridge mode. So is this essentially enabling free flow of traffic through and completely trusting the secondary router I provide myself? And if someone then disabled bridge mode in the online interface (again assuming that this would be possible), I am not exposed as long as I have my own router following the provider’s router?
So, if you open port TCP 443 and have Nginx or a website answering requests, you now need to make sure this is as secure as possible. ANYONE ANYWHERE can talk to it.
What happens if I have a port open that nothing is listening to? Is that a security concern? For example, the ports to my torrent clients when I am not using the torrent client.
A side point is, if it’s just you that needs access to it, consider a VPN (wireguard) or overlay network (tailscale) so you only need to open one port and that will give you access to everything you need in your network.
As I mentioned above, I am considering a reverse proxy, which to my understanding also limits the number of ports open to 1. How does that compare securitywise in your opionin?
I open port 8080 where e.g. Nginx Proxy Manager listens. This is the only port anyone can gain access to anything inside my home network, and the proxy manager will say “Hey, this traffic should be redirected to port 8096 and this traffic should go to 4533”, but no direct connections to these ports can be made from outside my own network as they are not exposed.
Draw it out. anything in the path has the potential to be exploited.
Internet -> ISP router -> TCP port 8080 to Nginx Proxy Manager -> TCP 443 to Computer running docker -> Docker Container -> Service.
So, in the above, The entire world will have access to only your IP on port 8080. Nginx proxy manager will take the packet, read it, do what it needs to and forwards it to the destination. I’d say that Nginx proxy manager and the end service are at risk to be exploited. If they get in then They’d be isolated by Docker and they’d need a docker exploit to get out. However, they’ll be in the docker container so they’ll have access to whatever that container has access to, and unless you block outbound access from the container it’s basically everything in your network.
I think what you’re getting at is, if I have Nginx listening on port 443 and is open to the world, can they access my game server on port 1234 that is local only. The answer to this is no. They will not have access to the game server. They need to first hack Nginx, from the PC/Docker container they then need to have access to your game server on port 1234, and if there’s nothing block them (by default I believe there is nothing stopping this) then they can hack your game server.
No, it is https://wifi.myisp.tld.
if you ping wifi.myisp.tld what is the IP address? is it private? what if you go to http://ip.add.re.ss it should be the same thing???
If I’m connected to a VPN or through mobile, it will give me an error. With my previous ISP, it was a simple login with username and password with a SMS 2FA. I never attempted to login from elsewhere then, so it might’ve been likewise protected.
It sounds like it’s private and only you have access. However, the ISP usually have their own way to get into these devices, or at least to push updates or config changes. So your only risk here is the ISP being hacked, then getting you from there. OR the actual device it self having a flaw in it and someone getting in that way. In either case, all the ISP customers will be at risk. You can still go in bridge mode to protect from this.
Yeah, they support bridge mode. So is this essentially enabling free flow of traffic through and completely trusting the secondary router I provide myself?
yes. Bridge mode means the ISP provider router is now only for translation (IE: from coaxial/DSL/Fibre to RJ45/cat cable). You plug the ISP device into the WAN port of your own device and now your device has the public IP address and that is what your trusting to protect you.
And if someone then disabled bridge mode in the online interface (again assuming that this would be possible), I am not exposed as long as I have my own router following the provider’s router?
yeah, as long as the ISP router is plugged into the WAN port of your router and ONLY the WAN port, then you’re safe from the ISP shenanigans.
What happens if I have a port open that nothing is listening to?
The firewall/router will forward that packet to the IP and port. If there is no device on that IP the packet will be dropped inside your network and nothing will happen. If there is a computer there and the Computer firewall is blocking access to that port, the PC Firewall will either drop it or reply saying it’s closed. This depends on how the PC firewall is configured. If the PC has the port open but there is no service, the PC should just drop the packet but it will still make it to the comptuer.
Is that a security concern? For example, the ports to my torrent clients when I am not using the torrent client.
Yes and no. Something could start listening on that port and start replying, You’ll have no idea if a service is listening on it unless your looking or it’s too late.
Ignoring the fact that something COULD start listening on it, then no, there’s no real concern but I’d never do this myself. It’s like giving out a bad phone number as your number, IT’s possible someone will be given this phone number and now you’ll have problems.
As I mentioned above, I am considering a reverse proxy, which to my understanding also limits the number of ports open to 1. How does that compare securitywise in your opionin?
that’s fine, just keep everything in the path up to date. I have port 443 open pointing to nginx, from here I forward traffic to Home Assistant, NextCloud, Headscale, etc, etc. They’re hosted in docker.
I have scripts that try to update everything every hour and I’m not really worried. I’d rather a update to a new version take down my services then trust myself to login every couple days and do it manually.
if you ping wifi.myisp.tld what is the IP address? is it private? what if you go to http://ip.add.re.ss it should be the same thing???
The IP address is outside my network. If I try to connect directly to the IP address, it fails the certifications, I get a list of domains that are connected to the cert and am allowed to “continue and accept the risk”, landing at the same site.
yes. Bridge mode means the ISP provider router is now only for translation (IE: from coaxial/DSL/Fibre to RJ45/cat cable). You plug the ISP device into the WAN port of your own device and now your device has the public IP address and that is what your trusting to protect you.
OK, I will definitely look into this in the near future then.
as long as the ISP router is plugged into the WAN port of your router and ONLY the WAN port, then you’re safe from the ISP shenanigans.
There’s a modem connected to the WAN port, and the router/hotspot is connected to the modem. But I guess that doesn’t change anything?
I have scripts that try to update everything every hour and I’m not really worried. I’d rather a update to a new version take down my services then trust myself to login every couple days and do it manually.
I will definitely need to setup this myself then. Do you run this as cron jobs?
Thinking about the torrent thing, there’s no better way to do it. I’d personally open a static port IE 12345 and point that at the torrent client on the PC. I would not randomize it and open a massive range on your firewall just in case. Then just close the client when you’re done and know that packets for 12345 will still reach your PC, they’re just dropped there.
OK, that is basically how it is configured now. It is not randomized in the sense that it changes every time, but it is listening on a port that was randomly chosen, but it is static since configuration.
Not that I support it, but if you’re downloading more then just Linux ISOs and you’re in a country with pretty strict laws around this sort of thing, you should be using a VPN that supports opening ports. then you do not need anything open on your firewall, just to connect to the VPN when you’re ready to sail the high seas.
I do use a VPN (with port forwarding supported, but I have not activated it, which I know could affect performance, but I have not noticed anything here). Is the port opening on my router unnecessary in this case?
The IP address is outside my network
I don’t like this. That’s super weird and I would not trust it. I’m sure it’s “fine” but I’d hard pass on that. Set up my own 100% for sure.
There’s a modem connected to the WAN port, and the router/hotspot is connected to the modem. But I guess that doesn’t change anything?
I don’t understand. Can I get a pic (MS Paint or real or something) or some brand names or something? I understand if you don’t want to show, I’m just not sure what you’re saying.
My ISP gave me a white box, I plug a fibre cable from the street Plus power from the outlet into this box. Then I have a cat6 cable from this box (port 1 as per their instructions) into the WAN port of my firewall. My Firewall has a Public IP on it’s WAN interface and I have 4 ports for LAN. The same firewall gives off wifi to the rest of my house.
I will definitely need to setup this myself then. Do you run this as cron jobs?
Yeah, here’s one of them for a VPS I rent: 30 * * * * root dnf clean all ; dnf -y update && needs-restarting -r || /usr/sbin/reboot
I actually run things in Kubernetes and use https://github.com/keel-hq/keel to keep my pods (containers) up to date.
I do use a VPN (with port forwarding supported, but I have not activated it, which I know could affect performance, but I have not noticed anything here). Is the port opening on my router unnecessary in this case?
The port opening on the router is unnecessary and could be a bad thing. If you’re using a VPN with port forwarding I’d close the one on your router right now. The “open” port is open via the VPN connection so they do all the opening for you, you just need to make sure your PC is on the VPN.
Go to this site with out your VPN on, it will tell you if you’re using your raw internet to download torrents: https://iknowwhatyoudownload.com/en/peer/
it sounds like you might be doing that, or at least have the ability for people to connect to you via your ISP (bad) and not over the VPN (good)
I don’t like this. That’s super weird and I would not trust it. I’m sure it’s “fine” but I’d hard pass on that. Set up my own 100% for sure.
Yeah, good to have my suspicions confirmed. This setup is standard where I live now, and I don’t think you can get around it. First I noticed this was a coupe of years back. I’ll start finding a suitable router and set it up in bridge mode.
I don’t understand. Can I get a pic (MS Paint or real or something) or some brand names or something? I understand if you don’t want to show, I’m just not sure what you’re saying.
I have two small boxes in a cabinet - one is receiving a white cable that comes from outside my home, and outputs an optical signal that goes into the other box. This other box also gets a coax cable from outside my home, and outputs an ethernet connection that is connected to what my ISP calls a WiFi router. This has additional LAN ports as well.
Go to this site with out your VPN on, it will tell you if you’re using your raw internet to download torrents: https://iknowwhatyoudownload.com/en/peer/
I could not access this site now, however, I’ve checked this with the torrent address detection tool on ipleak.net many times before. I recently had an issue where my real IP would show for a second if I disconnected my VPN connection manually, but I solved this. My torrent client is bound to the interface created by the VPN client. At this point I am pretty sure it is fine. But I will close the ports again.
Thinking about the torrent thing, there’s no better way to do it. I’d personally open a static port IE 12345 and point that at the torrent client on the PC. I would not randomize it and open a massive range on your firewall just in case. Then just close the client when you’re done and know that packets for 12345 will still reach your PC, they’re just dropped there.
Not that I support it, but if you’re downloading more then just Linux ISOs and you’re in a country with pretty strict laws around this sort of thing, you should be using a VPN that supports opening ports. then you do not need anything open on your firewall, just to connect to the VPN when you’re ready to sail the high seas.
UPNP should be disabled on your firewall (unless you play xbox or whatever). This allows a device, like an xbox or PC, to request your firewall open a port. This is needed for some online games to work properly but is not very good for security.
One more thing - install Wireshark and get a real-time view of what your network is doing. Massively helpful tool.