# Hermes dashboard Trusted-only Policy Engine apply — 2026-05-24 ## Live change summary Applied the narrow UniFi Policy Engine service slice that makes the Hermes dashboard on Nomad effectively Trusted-only. Dashboard endpoint: - `10.5.30.7:9119` Apply time artifact stamp: - `2026-05-24-061715` ## What changed Created these two custom firewall policies: 1. `Allow Trusted to Hermes Dashboard` - id: `6a1297eefb913dd84d4a3fbb` - action: `ALLOW` - protocol: `tcp` - source: `10.5.1.0/24` - destination: `10.5.30.7` - destination port: `9119` - schedule: `ALWAYS` 2. `Block Management and Servers to Hermes Dashboard` - id: `6a1297eefb913dd84d4a3fc0` - action: `BLOCK` - protocol: `tcp` - source: `10.5.0.0/24`, `10.5.30.0/24` - destination: `10.5.30.7` - destination port: `9119` - schedule: `ALWAYS` ## Verification result - Pre-apply baseline did not already contain either Hermes-dashboard policy. - Post-apply readback shows both rules present as non-predefined custom policies. - Apply helper returned no API errors. ## Artifacts Baselines and apply output saved in: - `home/doris-dashboard/docs/baselines/unifi-firewall-policies-custom-2026-05-24-061715-pre-hermes-dashboard-slice.json` - `home/doris-dashboard/docs/baselines/unifi-hermes-dashboard-policy-apply-2026-05-24-061715.json` - `home/doris-dashboard/docs/baselines/unifi-firewall-policies-custom-2026-05-24-061715-post-hermes-dashboard-slice.json` Helper added to repo and copied to PD runtime for repeatable staging/apply: - repo: `automation/bin/unifi_stage_hermes_dashboard_policy.py` - PD runtime: `/mnt/docker-ssd/docker/compose/automation/bin/unifi_stage_hermes_dashboard_policy.py` ## Representative lane probe after apply Follow-up live check from PD showed an important enforcement caveat. From PD (`10.5.30.6`) to Nomad (`10.5.30.7:9119`): - direct TCP connect succeeded - HTTP GET succeeded with `200 OK` - route on PD is on-link: `10.5.30.7 dev enp3s0f0 src 10.5.30.6` Interpretation: - PD and Nomad are both on the `Servers` subnet (`10.5.30.0/24`) - this flow stays L2-local and does not traverse the UniFi gateway - therefore the gateway Policy Engine block does not stop PD from reaching the dashboard even though the custom rule exists What the current rule set still likely achieves: - Trusted clients on `10.5.1.0/24` can reach the dashboard - routed Management-lane access should still be governed by the custom block - same-subnet Servers peers are not isolated by this gateway-only approach ## Operator validation still worth doing Because same-subnet east-west traffic bypasses the gateway enforcement point, the right checks are now: - from a Trusted client: confirm `http://hermes.home.paccoco.com:9119` or the intended dashboard URL still loads - from a Management client on a different subnet: confirm `10.5.30.7:9119` is blocked - do not treat PD->Nomad reachability as proof the rule failed globally; it specifically proves intra-subnet server peers need host-local enforcement if they must be excluded ## If true Trusted-only must exclude PD and other Servers peers Use one of these instead of relying only on the gateway policy: - add a host firewall on Nomad permitting only Trusted-source addresses/subnets to port `9119` - move the dashboard to a lane where disallowed sources must cross a routed boundary - use switch/ACL mechanisms that can enforce same-subnet isolation if available ## Rollback Fastest rollback is to delete the two Hermes-dashboard custom rules by id or rerun a small helper update that disables/removes them: - `6a1297eefb913dd84d4a3fbb` - `6a1297eefb913dd84d4a3fc0`