Hi, just came across this subject while running a diagnostic test on my pi-hole install.
I see that there are ufw and firewalld. Shall i use any of them, and if yes which is recommended?

This is not a black and white answer. It depends on your need and on the scenario you are running. Is you system internet facing? Means, do you have incoming internet traffic from outside your network? Or just local access?

I have several pi with different function in my local network. However i have one that hosts a nextcloud that is accessable from outside.

1pi: internet radio
4pi:Media center
5pi:Pi-hole + downloader

Theoretically the firewall is already on your router. Next to that you forward port 80/443 to nextcloud system only. A firewall on that particular system won’t change anything as you would open very same ports usually. But of course you could install ufw. Another option is to install fail2ban to block system trying to access your nextcloud but using wrong passwords

thank you i understand.
firewalld or ufw then? pihole -d diagnostics was looking at firewalld. Does the pihole pi need a firewall extra?

PiHole themselves don’t need a firewall

so ufw is preferable?

ufw is a firewall as well. But again Pihole don’t need one as long as your system is not internet facing

jsut very last questioin:
shall install firewall on the machine hosting NC?

Of course you can install a firewall like ufw. As well think of failwban to block failed login attempts.

So to summarize:

  1. I understand that my Raspberry Pi running DietPi cannot be reached from outside the network unless port forwarding is set up on the main router. Is that correct?
  2. As I understand further more applications which generate outgoing traffic and therefore incoming traffic as well to and form the internet have there own security settings. They do not need port forewarding at the router. A firewall changes nothing, right? As example the system time sync.
  3. To check the outgoing and incoming traffic from applications and in a case of port forwarding, someone can use ufw. The log will be written into /var/log/ufw.log, right? This might be a good way to get any understanding what traffic is generated for further actions. Any suggestions?

Kind regards.


There are no direct security settings. As the traffic is generate by your apps, they will be able to get a feedback back. It always depends on who is the source generating traffic.


Not fully correct, you could block outgoing traffic

UFW will block traffic, to analyse your network traffic, you could use tcpdump or as tool wireshark

OK, perfect. Thank you for the tip: tdpdump and wireshark.