WAF and DMZ too.

Yes, those are the known vulnerabilities. We don’t know how many unknown vulnerabilities could be discovered in the future.

Firewalls can log dropped packets.

It depends on what you’re trying to do with it. Typically people only use Macs as servers when they’re doing development for Apple products.

Provide them with VPN access. If that’s too much for them, then they don’t get access. Tough. On the scale of security vs convenience, that’s nothing.

If you really really want, you should at least see if you can put a WAF in front, and put the server itself somewhere it doesn’t have access to the rest of your network (a DMZ) so that if and when it gets hacked, it doesn’t compromise the entire network.

Step one is check with the university IT department. Don’t put random unmanageable shit on other people’s networks.

Why a Mac running Linux? I can’t think of a use case for that.

I still don’t recommend putting jellyfin on the Internet. It’s not designed for it. There are some API endpoints you can access without authentication, not to mention potential authentication bypass vulnerabilities.

5 minutes is also probably too frequent. Leases are usually significantly longer. You might hit a rate limit and get blocked.

Probably through that link in your screenshot that says “logs”. Or directly on the server. Consult the documentation.

I am also subscribed to !gardening@lemmy.world so I made the same mistake

What’s in the logs?

If it’s on the Internet, yes.

Given the state of the Internet, you should keep a healthy level of paranoia. I always recommend exposing as little as possible, and that means using only a VPN and not putting jellyfin itself on the Internet.

Technically yes, but as long as your WAN gateway doesn’t provide a route, clients will only know how to reach your own gateway.

Agreed. Separate device. If your VM or hypervisor dies, or you misconfigure something, you take your Internet down. Not a fun thing to recover from.

You only need one port. WAN to switch, switch to router. The router routes and sends it back to the switch, and the switch to the LAN. Vice versa for outbound traffic. It’s called a router on a stick.

Not recommended if you’re paranoid about security, because a malicious client or particularly malformed inbound traffic could bypass your router. For general use it’s perfectly fine.

Pretty much any router will handle that.

If you want do open source, you can do something like opnwrt on hardware they support. Or, build the whole thing yourself with opnsense on any device that can run FreeBSD.

But it does have a moldy nylon bag!

Lol “carefully crafted sequence”. This is just like back in early versions of Windows where the login screen let you open a help menu, which let you open a file picker, which let you open any file.

Windows is a pile of shit stacked way too high.

No, they can’t. The BIOS prompts the user to confirm the change on reboot. If the change is not confirmed, it doesn’t happen.

This type of attack has been seen in the wild for quite some time. Ultimately it’s a security vs convenience decision.

Any drive should read faster than media playback. I’d check the actual read speed and playback logs to make sure you’re not having other issues.