30 lines
1.7 KiB
Markdown
30 lines
1.7 KiB
Markdown
# ECP-0088: Public RPC/NFS Hardening for `ecp-forge`
|
|
|
|
Status: Implemented
|
|
|
|
## Context
|
|
|
|
`ecp-forge` exports `/tank` over NFS for private consumers, but the host firewall also exposed `rpcbind` (`111/tcp,udp`) and NFS (`2049/tcp,udp`) on the public Hetzner address. CERT-Bund flagged the host because public `rpcbind` allowed internet enumeration of registered RPC services.
|
|
|
|
The current exports already constrain clients to private address space, so the exposure is a firewall boundary issue rather than a requirement for public access.
|
|
|
|
## Decision
|
|
|
|
1. Remove public firewall allowances for `111/tcp,udp` and `2049/tcp,udp` on `ecp-forge`.
|
|
2. Keep NFS enabled for trusted/private paths, including the existing `tailscale0` trusted interface and private-source exports.
|
|
3. Treat public RPC/NFS exposure on forge hosts as an anti-pattern unless a later ECP explicitly justifies it.
|
|
|
|
## Alternatives considered
|
|
|
|
- Disable NFS entirely. Rejected because `/tank` export remains useful for private consumers.
|
|
- Keep public ports open and rely only on `/etc/exports` CIDR restrictions. Rejected because `rpcbind` enumeration is itself enough to trigger abuse notifications and increases attack surface.
|
|
- Add bespoke public-interface firewall exceptions per private CIDR. Rejected because `ecp-forge` already has a trusted overlay path and does not need public-interface exposure for NFS.
|
|
|
|
## Rollout / teardown plan
|
|
|
|
- Rollout:
|
|
- evaluate `.#nixosConfigurations.ecp-forge`,
|
|
- deploy `ecp-forge`,
|
|
- verify `rpcbind`/NFS are no longer reachable on the public IP.
|
|
- Teardown:
|
|
- restore the public firewall allowances only with a replacement ECP that documents the requirement and compensating controls.
|