Salt Phase 3: nftables firewall (default deny inbound) #5

New issue

Closed

opened 2026-02-27 20:41:49 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented 2026-02-27 20:41:49 +00:00

Owner

Copy link

Plan

plan-2026-02-26-salt-host-management — Phase 3

Repo

pal-e-platform — Forgejo (private)

User Story

As a platform operator
I need a Salt-managed nftables firewall with default deny inbound
So that the host is hardened against unauthorized access while preserving Tailscale, k3s, and LAN SSH connectivity

Acceptance Criteria

When I run salt-call state.apply firewall test=True
Then it shows the expected nftables changes (install, config, enable service)

When I run nft list ruleset after applying
Then the rules match the pillar data (default deny inbound, allow tailscale0/lo/flannel/k8s/LAN SSH/established+related)

When the firewall is active
Then Tailscale connectivity is uninterrupted (outbound never restricted, tailscale0 fully allowed)

Additional Information

See issue-pal-e-platform-salt-phase-3-nftables in pal-e-docs for full details.

Safety constraint: Tailscale is the remote access safety net. Outbound must NEVER be restricted. tailscale0 must be fully allowed. Operator applies manually with revert timer.

Checklist

• PR opened
• salt-call state.apply firewall test=True succeeds
• Rendered nftables.conf is valid
• top.sls files updated

Related

• plan-2026-02-26-salt-host-management — parent plan
• plan-2026-02-26-network-security-hardening — depends on this

### Plan `plan-2026-02-26-salt-host-management` — Phase 3 ### Repo `pal-e-platform` — Forgejo (private) ### User Story As a platform operator I need a Salt-managed nftables firewall with default deny inbound So that the host is hardened against unauthorized access while preserving Tailscale, k3s, and LAN SSH connectivity ### Acceptance Criteria When I run `salt-call state.apply firewall test=True` Then it shows the expected nftables changes (install, config, enable service) When I run `nft list ruleset` after applying Then the rules match the pillar data (default deny inbound, allow tailscale0/lo/flannel/k8s/LAN SSH/established+related) When the firewall is active Then Tailscale connectivity is uninterrupted (outbound never restricted, tailscale0 fully allowed) ### Additional Information See `issue-pal-e-platform-salt-phase-3-nftables` in pal-e-docs for full details. **Safety constraint:** Tailscale is the remote access safety net. Outbound must NEVER be restricted. `tailscale0` must be fully allowed. Operator applies manually with revert timer. ### Checklist - [ ] PR opened - [ ] `salt-call state.apply firewall test=True` succeeds - [ ] Rendered nftables.conf is valid - [ ] top.sls files updated ### Related - `plan-2026-02-26-salt-host-management` — parent plan - `plan-2026-02-26-network-security-hardening` — depends on this

forgejo_admin referenced this issue from a commit 2026-02-27 20:45:32 +00:00

Salt Phase 3: nftables firewall with default deny inbound

forgejo_admin referenced this issue 2026-02-27 20:46:10 +00:00

Salt Phase 3: nftables firewall with default deny inbound (#5) #6

forgejo_admin referenced this issue from a commit 2026-03-01 02:18:06 +00:00

Salt Phase 3: nftables firewall with default deny inbound (#5) (#6)

forgejo_admin closed this issue 2026-03-03 04:15:40 +00:00

forgejo_admin referenced this issue 2026-03-27 07:50:33 +00:00

Critical: Migrate basketball-api Postgres to CNPG shared cluster #187

forgejo_admin referenced this issue 2026-03-27 21:33:31 +00:00

Python repo standards: ruff pre-commit hooks + repo setup template #29

forgejo_admin referenced this issue 2026-03-28 05:43:30 +00:00

Python repo standards: ruff pre-commit hooks + repo setup template #29

forgejo_admin referenced this issue 2026-03-28 18:40:07 +00:00

Python repo standards: ruff pre-commit hooks + repo setup template #29

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

188-cross-repo-worktree-isolation-for-parall

111-fix-keycloak-probe

86-fix-rotate-woodpecker-api-token-in-salt

71-feat-deploy-pyrra-slo-manager-with-servi

64-hotfix-woodpecker-oauth-login-broken-for

18-fix-grafana-duplicate-default-datasource-v2

18-fix-grafana-duplicate-default-datasource

13-fix-cnpg-all-parameters

No results found.

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

  

status:approved

QA passed, awaiting merge approval

  

status:in-progress

Dev agent is actively working

  

status:needs-fix

QA found issues, back to dev

  

status:qa

PR submitted, awaiting QA review

  

type:bug

Bug fix

  

type:devops

Infrastructure/CI/config work

  

type:feature

New functionality

No labels

domain:backend

domain:devops

domain:frontend

status:approved

status:in-progress

status:needs-fix

status:qa

type:bug

type:devops

type:feature

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/pal-e-platform#5

No description provided.