3.5 KiB
Hermes dashboard Trusted-only Policy Engine apply — 2026-05-24
Live change summary
Applied the narrow UniFi Policy Engine service slice that makes the Hermes dashboard on Nomad effectively Trusted-only.
Dashboard endpoint:
10.5.30.7:9119
Apply time artifact stamp:
2026-05-24-061715
What changed
Created these two custom firewall policies:
Allow Trusted to Hermes Dashboard
- id:
6a1297eefb913dd84d4a3fbb - action:
ALLOW - protocol:
tcp - source:
10.5.1.0/24 - destination:
10.5.30.7 - destination port:
9119 - schedule:
ALWAYS
Block Management and Servers to Hermes Dashboard
- id:
6a1297eefb913dd84d4a3fc0 - action:
BLOCK - protocol:
tcp - source:
10.5.0.0/24,10.5.30.0/24 - destination:
10.5.30.7 - destination port:
9119 - schedule:
ALWAYS
Verification result
- Pre-apply baseline did not already contain either Hermes-dashboard policy.
- Post-apply readback shows both rules present as non-predefined custom policies.
- Apply helper returned no API errors.
Artifacts
Baselines and apply output saved in:
home/doris-dashboard/docs/baselines/unifi-firewall-policies-custom-2026-05-24-061715-pre-hermes-dashboard-slice.jsonhome/doris-dashboard/docs/baselines/unifi-hermes-dashboard-policy-apply-2026-05-24-061715.jsonhome/doris-dashboard/docs/baselines/unifi-firewall-policies-custom-2026-05-24-061715-post-hermes-dashboard-slice.json
Helper added to repo and copied to PD runtime for repeatable staging/apply:
- repo:
automation/bin/unifi_stage_hermes_dashboard_policy.py - PD runtime:
/mnt/docker-ssd/docker/compose/automation/bin/unifi_stage_hermes_dashboard_policy.py
Representative lane probe after apply
Follow-up live check from PD showed an important enforcement caveat.
From PD (10.5.30.6) to Nomad (10.5.30.7:9119):
- direct TCP connect succeeded
- HTTP GET succeeded with
200 OK - route on PD is on-link:
10.5.30.7 dev enp3s0f0 src 10.5.30.6
Interpretation:
- PD and Nomad are both on the
Serverssubnet (10.5.30.0/24) - this flow stays L2-local and does not traverse the UniFi gateway
- therefore the gateway Policy Engine block does not stop PD from reaching the dashboard even though the custom rule exists
What the current rule set still likely achieves:
- Trusted clients on
10.5.1.0/24can reach the dashboard - routed Management-lane access should still be governed by the custom block
- same-subnet Servers peers are not isolated by this gateway-only approach
Operator validation still worth doing
Because same-subnet east-west traffic bypasses the gateway enforcement point, the right checks are now:
- from a Trusted client: confirm
http://hermes.home.paccoco.com:9119or the intended dashboard URL still loads - from a Management client on a different subnet: confirm
10.5.30.7:9119is blocked - do not treat PD->Nomad reachability as proof the rule failed globally; it specifically proves intra-subnet server peers need host-local enforcement if they must be excluded
If true Trusted-only must exclude PD and other Servers peers
Use one of these instead of relying only on the gateway policy:
- add a host firewall on Nomad permitting only Trusted-source addresses/subnets to port
9119 - move the dashboard to a lane where disallowed sources must cross a routed boundary
- use switch/ACL mechanisms that can enforce same-subnet isolation if available
Rollback
Fastest rollback is to delete the two Hermes-dashboard custom rules by id or rerun a small helper update that disables/removes them:
6a1297eefb913dd84d4a3fbb6a1297eefb913dd84d4a3fc0