Enable local firewall (ufw/nftables) on kai-server #112

Open
opened 2026-05-24 21:51:48 +00:00 by coilysiren · 0 comments
Owner

Problem
kai-server has no local firewall in place. Every listening port is currently reachable from anything that can route to its IP. Mitigated externally today only by the router's NAT boundary, and even that gets bypassed by the DMZ-on config tracked in #109. Defense-in-depth would have kai-server reject anything it shouldn't be serving, regardless of what the router is doing upstream.

Plan

  1. SSH into kai-server, run ss -tlnp and ss -ulnp to inventory listening ports.
  2. Classify each: should be reachable from LAN only / from WAN / from localhost only.
  3. Pick a tool: ufw (simpler, fine for a single host) or nftables (more expressive, lower-level). Default to ufw unless k3s already manages nftables chains we'd conflict with.
  4. Default-deny inbound, allow outbound, allow established/related.
  5. Permit per service:
    • 22/tcp from LAN (192.168.0.0/24) and Tailscale CGNAT (100.64.0.0/10).
    • 80/tcp, 443/tcp from anywhere (Traefik).
    • 3000-3003/tcp,udp from anywhere (Eco).
    • 34197/udp from anywhere (Factorio).
    • 6443/tcp, 10250/tcp, etc. - LAN/Tailscale only.
  6. Enable, verify each service from off-network and from LAN.

Relationship to #109
Independent but complementary. #109 removes the over-broad DMZ exposure at the router. This issue adds host-level enforcement so the same mistake (or any future router misconfig) doesn't immediately expose every port again. Either one alone is an improvement; both together is correct.

Origin
Surfaced 2026-05-24 alongside the DMZ-off discovery during the router firmware upgrade prep.

**Problem** kai-server has no local firewall in place. Every listening port is currently reachable from anything that can route to its IP. Mitigated *externally* today only by the router's NAT boundary, and even that gets bypassed by the DMZ-on config tracked in #109. Defense-in-depth would have kai-server reject anything it shouldn't be serving, regardless of what the router is doing upstream. **Plan** 1. SSH into kai-server, run `ss -tlnp` and `ss -ulnp` to inventory listening ports. 2. Classify each: should be reachable from LAN only / from WAN / from localhost only. 3. Pick a tool: `ufw` (simpler, fine for a single host) or `nftables` (more expressive, lower-level). Default to `ufw` unless k3s already manages nftables chains we'd conflict with. 4. Default-deny inbound, allow outbound, allow established/related. 5. Permit per service: - 22/tcp from LAN (192.168.0.0/24) and Tailscale CGNAT (100.64.0.0/10). - 80/tcp, 443/tcp from anywhere (Traefik). - 3000-3003/tcp,udp from anywhere (Eco). - 34197/udp from anywhere (Factorio). - 6443/tcp, 10250/tcp, etc. - LAN/Tailscale only. 6. Enable, verify each service from off-network and from LAN. **Relationship to #109** Independent but complementary. #109 removes the over-broad DMZ exposure at the router. This issue adds host-level enforcement so the same mistake (or any future router misconfig) doesn't immediately expose every port again. Either one alone is an improvement; both together is correct. **Origin** Surfaced 2026-05-24 alongside the DMZ-off discovery during the router firmware upgrade prep.
coilysiren added
P2
and removed
P1
labels 2026-06-17 08:40:25 +00:00
coilyco-ops added
P3
and removed
P2
labels 2026-07-10 09:00:27 +00:00
Sign in to join this conversation.
No description provided.