Hi, just came across this subject while running a diagnostic test on my pi-hole install.
I see that there are ufw and firewalld. Shall i use any of them, and if yes which is recommended?

This is not a black and white answer. It depends on your need and on the scenario you are running. Is you system internet facing? Means, do you have incoming internet traffic from outside your network? Or just local access?

I have several pi with different function in my local network. However i have one that hosts a nextcloud that is accessable from outside.

1pi: internet radio
4pi:Media center
5pi:Pi-hole + downloader

Theoretically the firewall is already on your router. Next to that you forward port 80/443 to nextcloud system only. A firewall on that particular system won’t change anything as you would open very same ports usually. But of course you could install ufw. Another option is to install fail2ban to block system trying to access your nextcloud but using wrong passwords

thank you i understand.
firewalld or ufw then? pihole -d diagnostics was looking at firewalld. Does the pihole pi need a firewall extra?

PiHole themselves don’t need a firewall

so ufw is preferable?

ufw is a firewall as well. But again Pihole don’t need one as long as your system is not internet facing

jsut very last questioin:
shall install firewall on the machine hosting NC?

Of course you can install a firewall like ufw. As well think of failwban to block failed login attempts.