view the rest of the comments
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil.
-
No spam.
-
Posts are to be related to self-hosting.
-
Don't duplicate the full text of your blog or readme if you're providing a link.
-
Submission headline should match the article title.
-
No trolling.
-
Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details. Tags [CBH] or [AIP] are required, see the links in Rule 8 for details.
-
AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post, and find example disclosures here.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
You should, yes. I run a firewall (I usually use ufw) on all of my Internet-connected devices, since all of my devices run Linux. There's not really any good reason not to in 2025.
But is there a good reason to run one on a server? Any port that's not in use won't allow traffic in. Any port that's in use would be added to the firewall exception anyway.
The only reasons I can think of to use a firewall are:
Be intentional about everything you run, because each additional service is a potential liability.
Because it's easy to accidentally run services or set up services temporarily and forget that you left them running. With UPnP being able to automatically/dynamically open ports, a firewall is just another layer of protection. You can also configure firewalls to ignore packets silently or log dropped packets, and if applications ever get new versions and end up listening on new ports, you would have to manually allow the ports. Maybe you want to have one part of an application accessible through the firewall but not another part of the application.
Plus, like you said, country blocking is another feature which personally I think is nice to have, and there are also other features too like being able to throttle connections, especially with things like fail2ban.
It's just another layer of protection, and it ensures that everything you run is deliberate.
It honestly depends on how you run things.
If everything is in containers, chances are you're already getting the benefits of a firewall. For example, with podman or docker, you already explicitly expose ports, which is already a form of firewall. If you're running things outside of containers, then yeah, I agree with you, there's too much risk of something opening up a port you didn't expect.
Everything I run is with podman, which exposes stuff with iptables rules. That's the same thing a basic firewall does, so adding a firewall is superfluous unless you're using it to do something else, like geoip filtering.
When in doubt, use a firewall. But depending on the setup, it could be unnecessary.