Zrok & Zrok's Public Share Firewall

**Disclaimer: I am new to the infrastructure/network space, and would love any support/guidance c:

I am learning what Zrok is about after getting a recommendation from one of OpenZiti’s dev on reddit (Reddit - Dive into anything), and the “Public Share” concept of Zrok is I think what I am looking for.

Question 0 (summary of what I wrote in the reddit link above):
Would self-hosting Zrok and it’s public share feature allow me to:
Setting up my first self-hosted machine using an old desktop I have.

I am trying to host a static website on the internet, and here is what I have got to thus far:

**Registered a Domain using Route53 (it is an Authoritative Domain Name Server)

Ubuntu as a Host OS (on my old desktop)

Docker engine running on Host OS

Container (Docker) for Nginx web server serving static content: As a result, I can view my website locally.

Now here is the deal..

I do not have access to port forwarding using my resident’s router because I live in Airbnb (and I move around a lot). Thus, while doing some research I came across Cloudflare’s Zero Trust Tunnel which would allow me to access Cloudflare (Layer 7 proxy) by installing Cloudflare tunnel within my internal network. From my understanding, this would allow my site to use CloudFlare’s DNS server to perform Type A DNS query to serve users on the internet of my website using the domain.

However, a gentlemen who works on OpenZiti recommended my Zrok as an alternative to Cloudflare. So, would Zrok help to deploy my static website to the internet?

Question 1:
Reading the documentation about Zrok’s Public Share, I am confused about the statement:
“As with private sharing, public sharing does not require you to open any firewall ports or otherwise compromise the security of your local environments. A public share goes away as soon as you terminate the zrok share command.”
What is this “firewall ports” taking about? Is it the Software Firewall for my linux machines? Or hardware firewall on my router?

Question 2:
I am trying to self host a zrok instance, and following the youtube tutorial on self hosting (https://www.youtube.com/watch?v=870A5dke_u4), and the gentleman in the video allow an inbound rule for all Ipv4 and Ipv6 connection at different ports. So, my newbie knowledge gets me wonder, Would I have set these inbound rule on my linux machine?

Hi @youngjun827 welcome to the community and to zrok and to OpenZiti!

Based on what you wrote, it sounds a bit confusing. Your trying to self host, yet you want to use cloudflare. To me, that's a bit confusing since cloudflare would be brokering the connection and I'm not entirely sure how it works yet. If it's similar to OpenZiti, your traffic will be traversing cloudflare and in that situation I would say you are looking for something non-self hosted like zrok.io (the saas version of zrok, free, provided by NetFoundry). You'd then have no firewall concerns at all since you're using zrok.io for brokering traffic...

If you want to totally self host, I'd really recommend you try out a VPS (virtual private server) and try Oracles platform. It's got an "actually free" tier that's perfect for most purposes and I'd start there. At that point you have a server in the cloud accessible anywhere and very flexible since you control it....

It's any and all firewall ports. So it's BOTH the software firewall and imo more importantly, the hardware routers firewall... So both, any, all firewalls. You only need outbound Internet

The overlay network, the one where OpenZiti and zrok would be installed DOES require open ports. So when you're self hosting zrok, you'll need to install an OpenZiti network, and then install zrok. If you were to use zrok.io, the saas version mentioned above, you'd not have the same need. That's why I recommend you use a VPS to install zrok and OpenZiti.

Hope that makes sense and helps