The issue I am facing:
In quite many tutorials on https://docs.pi-hole.net/ I read a lot about
internet facing devices should be properly firewalled.
Now I wonder, what actually is considered properly firewalled?
The documentation has no Firewall section. At Firewall Configuration - Pi-hole documentation I found this about firewalling the Pi-Hole OpenVPN server:
If you are behind a NAT and not running the Pi-hole on a cloud server, you do not need to issue the IPTABLES commands below as the firewall rules are already handled by the RoadWarrior installer
It says optional, only when running in cloud, etc. But, the Road Warrior installer gives me the pretty insecure forward all - anywhere default firewall settings.
Details about my system:
- Router FritzBox acting as firewall.
- Pi-Hole runs openVPN server, port 1194 facing open to the internet.
- I guess the defaults are not considered properly firewalled:
The actual question
- Is my FritzBox firewall, that only lets port 1194 into my network, considered properly firewalled?
- Can a hacker, lets say attack open port 1194 and break out from there? Like from the Pi-Hole device into the rest of my network?
- Lets say there an attack vector in OpenVPN which could give elevated rights and hacker gets root or whatever. Will an additional firewall on the PiHole help in such a case? Like from my understanding, to open extra ports for additional hacker shenanigans, he needed to take control over the router, or not?
- Not sure how all this hacking works exactly, but I'm just confused it it suffices to only have FritzBox firewall for all devices on the network.
Summary
- Do I need to firewall the Pi-Hole / OpenVPN server or do I conveniently trust my router's firewall to be sufficiently secure?