Enable local firewall (ufw/nftables) on kai-server #112

New issue

Open

opened 2026-05-24 21:51:48 +00:00 by coilysiren · 0 comments

coilysiren commented

2026-05-24 21:51:48 +00:00

Owner

Problem
kai-server has no local firewall in place. Every listening port is currently reachable from anything that can route to its IP. Mitigated externally today only by the router's NAT boundary, and even that gets bypassed by the DMZ-on config tracked in #109. Defense-in-depth would have kai-server reject anything it shouldn't be serving, regardless of what the router is doing upstream.

Plan

SSH into kai-server, run ss -tlnp and ss -ulnp to inventory listening ports.
Classify each: should be reachable from LAN only / from WAN / from localhost only.
Pick a tool: ufw (simpler, fine for a single host) or nftables (more expressive, lower-level). Default to ufw unless k3s already manages nftables chains we'd conflict with.
Default-deny inbound, allow outbound, allow established/related.
Permit per service:
- 22/tcp from LAN (192.168.0.0/24) and Tailscale CGNAT (100.64.0.0/10).
- 80/tcp, 443/tcp from anywhere (Traefik).
- 3000-3003/tcp,udp from anywhere (Eco).
- 34197/udp from anywhere (Factorio).
- 6443/tcp, 10250/tcp, etc. - LAN/Tailscale only.
Enable, verify each service from off-network and from LAN.

Relationship to #109
Independent but complementary. #109 removes the over-broad DMZ exposure at the router. This issue adds host-level enforcement so the same mistake (or any future router misconfig) doesn't immediately expose every port again. Either one alone is an improvement; both together is correct.

Origin
Surfaced 2026-05-24 alongside the DMZ-off discovery during the router firmware upgrade prep.

**Problem** kai-server has no local firewall in place. Every listening port is currently reachable from anything that can route to its IP. Mitigated *externally* today only by the router's NAT boundary, and even that gets bypassed by the DMZ-on config tracked in #109. Defense-in-depth would have kai-server reject anything it shouldn't be serving, regardless of what the router is doing upstream. **Plan** 1. SSH into kai-server, run `ss -tlnp` and `ss -ulnp` to inventory listening ports. 2. Classify each: should be reachable from LAN only / from WAN / from localhost only. 3. Pick a tool: `ufw` (simpler, fine for a single host) or `nftables` (more expressive, lower-level). Default to `ufw` unless k3s already manages nftables chains we'd conflict with. 4. Default-deny inbound, allow outbound, allow established/related. 5. Permit per service: - 22/tcp from LAN (192.168.0.0/24) and Tailscale CGNAT (100.64.0.0/10). - 80/tcp, 443/tcp from anywhere (Traefik). - 3000-3003/tcp,udp from anywhere (Eco). - 34197/udp from anywhere (Factorio). - 6443/tcp, 10250/tcp, etc. - LAN/Tailscale only. 6. Enable, verify each service from off-network and from LAN. **Relationship to #109** Independent but complementary. #109 removes the over-broad DMZ exposure at the router. This issue adds host-level enforcement so the same mistake (or any future router misconfig) doesn't immediately expose every port again. Either one alone is an improvement; both together is correct. **Origin** Surfaced 2026-05-24 alongside the DMZ-off discovery during the router firmware upgrade prep.

coilysiren added the

label

2026-05-31 01:54:36 +00:00

coilysiren added

and removed

labels

2026-05-31 07:00:40 +00:00

No labels

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

coilyco-flight-deck/infrastructure#112

No description provided.

Rows
Columns