every.channel/evolution/proposals/ECP-0088-ecp-forge-public-rpc-hardening.md

ECP-0088: Public RPC/NFS Hardening for ecp-forge

Status: Implemented

Context

ecp-forge exports /tank over NFS for private consumers, but the host firewall also exposed rpcbind (111/tcp,udp) and NFS (2049/tcp,udp) on the public Hetzner address. CERT-Bund flagged the host because public rpcbind allowed internet enumeration of registered RPC services.

The current exports already constrain clients to private address space, so the exposure is a firewall boundary issue rather than a requirement for public access.

Decision

1. Remove public firewall allowances for 111/tcp,udp and 2049/tcp,udp on ecp-forge.
2. Keep NFS enabled for trusted/private paths, including the existing tailscale0 trusted interface and private-source exports.
3. Treat public RPC/NFS exposure on forge hosts as an anti-pattern unless a later ECP explicitly justifies it.

Alternatives considered

• Disable NFS entirely. Rejected because /tank export remains useful for private consumers.
• Keep public ports open and rely only on /etc/exports CIDR restrictions. Rejected because rpcbind enumeration is itself enough to trigger abuse notifications and increases attack surface.
• Add bespoke public-interface firewall exceptions per private CIDR. Rejected because ecp-forge already has a trusted overlay path and does not need public-interface exposure for NFS.

Rollout / teardown plan

• Rollout:
  • evaluate .#nixosConfigurations.ecp-forge,
  • deploy ecp-forge,
  • verify rpcbind/NFS are no longer reachable on the public IP.
• Teardown:
  • restore the public firewall allowances only with a replacement ECP that documents the requirement and compensating controls.