docs: record unifi firewall enforcement and closeout
This commit is contained in:
@@ -0,0 +1,65 @@
|
||||
# UniFi Firewall Enforcement Result — 2026-05-23
|
||||
|
||||
Purpose: record the actual first live enforcement change made after the read-only planning pass, plus the exact remaining work that was intentionally not guessed into production.
|
||||
|
||||
## What was live-validated before the change
|
||||
- UniFi controller reachable at `https://10.5.0.1`
|
||||
- Live zone model confirmed from the controller API:
|
||||
- `Internal` = Management + Trusted + Servers
|
||||
- `Untrusted` = IoT + Camera + Old IoT
|
||||
- `Hotspot` = Guest
|
||||
- Existing custom policies before this change:
|
||||
- `Allow Internal to Untrusted`
|
||||
- disabled temp policy `DORIS-TEMP`
|
||||
- Existing UniFi built-in defaults already provided:
|
||||
- Guest internet-only / hotspot restrictions
|
||||
- Untrusted zone isolation from `Internal`, `Hotspot`, `Dmz`, `Untrusted`, and `Vpn`
|
||||
- broad `Untrusted -> Gateway` allow remained in place by default
|
||||
|
||||
## Live change applied
|
||||
Added one custom Policy Engine rule:
|
||||
|
||||
- `Block Untrusted to Gateway Admin Surfaces`
|
||||
- source zone: `Untrusted`
|
||||
- source CIDRs:
|
||||
- `10.5.10.0/24`
|
||||
- `10.5.20.0/24`
|
||||
- `192.168.1.0/24`
|
||||
- destination zone: `Gateway`
|
||||
- destination IP: `10.5.0.1`
|
||||
- destination TCP ports: `22,80,443,8443,9443`
|
||||
- intent: block IoT / Camera / Old IoT clients from reaching the UDM Pro admin surfaces while leaving DHCP, DNS, mDNS, and normal internet behavior to the existing zone defaults
|
||||
|
||||
## Why this was the safe first enforcement slice
|
||||
This closes the most obvious management-plane exposure left by the default zone policy without guessing at:
|
||||
- Protect/NVR helper ports
|
||||
- Google/cast discovery exceptions
|
||||
- local-vs-public NTP design
|
||||
- whether every restricted lane is already using the intended DNS target instead of the gateway
|
||||
|
||||
A broader `Untrusted -> Gateway` block was deliberately not applied because the current live DHCP/DNS details still need cleanup and verification.
|
||||
|
||||
## Validation evidence
|
||||
- Dry-run from the PD runtime helper showed exactly one new policy create and no mutation to `Allow Internal to Untrusted`
|
||||
- Apply completed successfully through the same helper
|
||||
- Follow-up helper run removed the disabled temporary custom policy `DORIS-TEMP`
|
||||
- Post-apply custom policy readback now shows only:
|
||||
- `Allow Internal to Untrusted`
|
||||
- `Block Untrusted to Gateway Admin Surfaces`
|
||||
- Controller API access from PD remained healthy immediately after apply
|
||||
|
||||
## Things intentionally left for later
|
||||
Still not safe to guess into production without targeted validation:
|
||||
- final `HOST-ADMIN-TRUSTED` membership
|
||||
- full management shield for every internal lane
|
||||
- explicit Trusted admin allow objects before any broad `Internal -> Gateway` deny
|
||||
- exact camera/Protect helper ports
|
||||
- Google/cast discovery/control exceptions
|
||||
- final SSID retirement / simplification
|
||||
|
||||
## Recommended next live order
|
||||
1. verify what DNS target the restricted lanes are actually receiving from DHCP today
|
||||
2. verify whether any restricted clients still need gateway access beyond DHCP/mDNS
|
||||
3. only then decide whether to convert this first surgical block into the broader management shield design
|
||||
4. do Google/cast validation from a laptop before any cast-related firewall or SSID cleanup
|
||||
5. finish SSID simplification after the cast/discovery behavior is understood
|
||||
Reference in New Issue
Block a user