Skip to main content

Default behavior

By default, N.O.M.A.D. listens on all network interfaces. Anyone on the same local network as your server can access the Command Center at http://SERVER_IP:8080 and Dozzle at http://SERVER_IP:9999. This is intentional for the common use case: a home or classroom LAN where all connected devices should have access. On a private, trusted network, no additional configuration is needed.

When to restrict access

Consider restricting access if:
  • Your server is connected to a shared or semi-public network (office, apartment building, campus Wi-Fi)
  • You want only specific devices to reach N.O.M.A.D.
  • You are running N.O.M.A.D. on a machine that is reachable from outside your local network
N.O.M.A.D. is not designed for direct internet exposure. Do not forward ports 8080 or 9999 through your router to the public internet. If you need remote access, consider a VPN instead.

Restricting access with ufw (Ubuntu)

ufw (Uncomplicated Firewall) is the standard firewall tool on Ubuntu. Use it to allow specific IP addresses or subnets while blocking others.

Allow access from a specific IP only

# Allow a specific device to reach the Command Center
sudo ufw allow from 192.168.1.50 to any port 8080

# Allow a specific device to reach Dozzle
sudo ufw allow from 192.168.1.50 to any port 9999

# Block all other access to those ports
sudo ufw deny 8080
sudo ufw deny 9999

Allow access from a subnet

# Allow all devices on your home LAN (e.g. 192.168.1.0/24)
sudo ufw allow from 192.168.1.0/24 to any port 8080
sudo ufw allow from 192.168.1.0/24 to any port 9999

# Deny everything else
sudo ufw deny 8080
sudo ufw deny 9999

Enable ufw if not already active

sudo ufw enable
sudo ufw status verbose
ufw rules are evaluated in order. Place allow rules before deny rules for the same port, or the deny rule will block all traffic regardless of source.

Private network (trusted LAN)

If your server is on a private home or office network with only trusted devices, no firewall configuration is required. The default setup works as intended — all devices on the LAN can access N.O.M.A.D.

Shared or semi-public network

If you cannot guarantee that all devices on the network are trusted:
  1. Use ufw to restrict ports 8080 and 9999 to specific IP addresses or a trusted subnet
  2. Consider placing N.O.M.A.D. on a dedicated VLAN with controlled access
  3. If you need access from outside the local network, set up a VPN (WireGuard, Tailscale) rather than exposing ports publicly

Internal-only ports

MySQL (3306) and Redis (6379) are not exposed to the host by default as of v1.30. These services are internal to the Docker network and cannot be reached from outside the server. Do not expose them unless you have a specific need and understand the risk.