clawdie/colibri
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 48
colibri/packaging/linux/colibri-bridge.nft
Sam & Claude 3b00b49e03
Some checks are pending
CI / rust (pull_request) Waiting to run
Details
CI / markdown (pull_request) Waiting to run
Details
CI / port (pull_request) Waiting to run
Details
CI / agent-jail-pkgs (pull_request) Waiting to run
Details
docs(packaging): Linux/systemd colibri-bridge + domedog network facts 
Linux peer of packaging/freebsd/colibri_bridge.in: bridge the colibri-daemon
control-plane Unix socket to TCP 9190 on the Tailscale interface so mesh hosts
can reach the control plane.

- colibri-bridge.service: systemd unit running socat under sandboxing, BindsTo
  the daemon, freebind so it can bind the tailnet IP before tailscaled is up.
- colibri-bridge.env.example: tunables (systemd parallel to the rc.d sysrc vars).
- colibri-bridge.nft: nftables ruleset for hosts WITHOUT ufw.
- README: install steps + the verified domedog host facts (tailnet IP, ufw
  default-deny posture, 8443=CloudPanel and its public exposure) + open
  questions for the cross-host (hermes) review.

Network gate already applied on domedog: `ufw allow in on tailscale0 to any
port 9190 proto tcp`. The systemd unit is proposed pending the hermes review.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-26 01:03:29 +02:00

28 lines
1.2 KiB
Text
Raw Blame History

#!/usr/sbin/nft -f
#
# Colibri bridge firewall — restrict the control-plane TCP port to the Tailscale
# interface only. Linux/nftables peer of the hermes pf rule:
#
# pass in quick on tailscale0 proto tcp to port 9190 flags S/SA keep state
#
# Load standalone: sudo nft -f packaging/linux/colibri-bridge.nft
# Verify: sudo nft list table inet colibri
# Persist (Debian/Ubuntu): `include "/etc/colibri/colibri-bridge.nft"` from
# /etc/nftables.conf, then `systemctl enable --now nftables`.
table inet colibri {
chain input {
# Base-chain declaration — REQUIRED. Without `type … hook input …` the
# chain is inert and filters nothing. policy accept keeps this table
# surgical: it governs ONLY port 9190; all other traffic falls through
# to the host's existing rules.
type filter hook input priority 0; policy accept;
# Reach the bridge only over the tailnet…
iifname "tailscale0" tcp dport 9190 accept
# …and drop it on every other interface. `drop` is a terminal verdict,
# so this reliably blocks 9190 from the public side even if another
# table would otherwise accept it.
tcp dport 9190 drop
}
}
Reference in a new issue View git blame Copy permalink