Hi, I am going to set up Pihole/Unbound on a raspberry pi + firewalld.
My question is related to setting up the firewall. On previous pihole installations I didn't set up a firewall. This time I'd like to do it as an additional layer of security.
My pihole is supposed to work in a lan, connected to and protected by a fritzbox router using IPV4 and IPV6. The raspberry pi has no display and no keyboard connected to it. That is why I am going to use SSH on the lan to connect to the Pihole for maintenance.
I found this page on pihole/firewalls: Prerequisites - Pi-hole documentation but I'am not sure if it includes the information that I am looking for:
On the linked page it says: "Create a new zone for the local interface (lo) for the pihole-FTL ports to ensure the API is only accessible locally." Is this already done by the lines above or do I have to set this up separately?
After activating the firewalld on the Pihole it should be accessible using SSH* (to avoid a lock out!) and the web interface (ports 22/80) and only be accessible within the lan (the local network ip range). How do I set this up? It seems not to be part of the lines above. And what about unbound (5335)? Shouldn't this be integrated as well? Maybe someone can explain this to me?
*SSH: I am using this on the lan with a strong password that is not the standard one. Is the SSH connection to the Pihole sufficiently protected? I don't want the Pihole to be accessible from the internet. Only from inside the lan. As I stated above, the Pihole is behind a router (fritzbox).
Of course - Pi-hole's documentation provides information with regard to the ports that it needs for its own operation.
It's your freedom and your responsibility to add any firewall rules that are required by other services you'd like to access on the machine that hosts your Pi-hole.
It would depend on such a service's required type of access as well as your chosen firewall how you'd achieve this.
In your case, you'd obviously need to allow ssh/port 22, as well as unbound's as mentioned by rdwebdesign.
I didn't mean to say that Pihole should have included those rules in it's how to in the first place. My question was merely informative, not provocative.
So SSH and Unbound should be added in my case. What about the local IP range. Isn't this necessary, since you say that what is necessary for normal operation is included?
Your questions are valid, but they do not relate to Pi-hole.
In general, allowing ssh is safe, especially when assuming it would accept only encrypted and authenticated access, and your router would not forward inbound public requests for that port to begin with.
Yet I'd expect a thorough answer to have looked into your OS, ssh, firewall and router configuration details.
That's not required for Pi-hole's operation, but you may well opt to further restrict access to your local IP range (which would be specific to your network).
You may improve your chances for better in-depth advice by also consulting forums in specialising in your firewall's configuration.
I set up a new Pihole+Unboud installation and firewalld on a Raspberry Pi. Everthing works fine so far.
The standard public zone of firewalld already included ssh permission and setting a rule for port 5335 (Unbound) wasn't necessary in firewalld for a reason that I ignore. Do you know why?
So the lines indicated on the Pihole prerequisites site (see #1) seem to be sufficient, including ssh and Unbound usage. Let me know, if I am wrong, please.
As mentioned, Pi-hole's documentation provides information with regard to the ports that it needs for its own operation.
It cannot and does not make any assumptions for additional services. If present, their respective documentations should be consulted for their specific requirements, probably along with OS and firewall docs.
Services accessed on the same machine (i.e. via a loopback address) are not very likely to be blocked by a default firewall configuration, so that's probably why using unbound via 127.0.0.1 would have worked.
