security: restrict localhost firewall — allowlist specific ports only

benvinegar · benvinegar · commit debfdf3b54c2 · 2026-02-15T21:24:39.000-05:00
Previously the firewall allowed ALL localhost traffic (-o lo ACCEPT),
meaning hornet_agent could reach every local service: Steam, CUPS,
Tailscale admin UI, and unknown HTTP servers.

Now localhost is restricted to:
- 7890 (Slack bridge)
- 11434 (Ollama)
- 53 (DNS)

Everything else on localhost is blocked and logged.
Security audit now checks for blanket localhost access.
diff --git a/bin/security-audit.sh b/bin/security-audit.sh
@@ -244,6 +244,14 @@ fi
 if command -v iptables &>/dev/null; then
   if iptables -L HORNET_OUTPUT -n 2>/dev/null | grep -q 'DROP'; then
     ok "Firewall rules active (HORNET_OUTPUT chain)"
+
+    # Check localhost isolation (blanket -o lo ACCEPT = bad)
+    if iptables -L HORNET_OUTPUT -n 2>/dev/null | grep -qE 'ACCEPT.*lo\s+0\.0\.0\.0/0\s+0\.0\.0\.0/0\s*$'; then
+      finding "WARN" "Firewall allows ALL localhost traffic" \
+        "Agent can reach every local service (Steam, CUPS, Tailscale, etc.). Update setup-firewall.sh"
+    else
+      ok "Localhost traffic restricted to specific ports"
+    fi
   else
     finding "WARN" "No firewall rules for hornet_agent" \
       "Run: sudo ~/hornet/bin/setup-firewall.sh"
diff --git a/bin/setup-firewall.sh b/bin/setup-firewall.sh
@@ -2,12 +2,17 @@
 # Port-based network lockdown for hornet_agent
 # Run as root: sudo ~/hornet/bin/setup-firewall.sh
 #
-# Allows: HTTP (80), HTTPS (443), SSH (22), DNS (53), localhost
-# Blocks: everything else (reverse shells, raw sockets, non-standard ports)
+# OUTBOUND (internet):
+#   Allows: HTTP (80), HTTPS (443), SSH (22), DNS (53)
+#   Blocks: everything else (reverse shells, raw sockets, non-standard ports)
 #
-# Web browsing and all HTTPS APIs still work. The agent cannot:
+# LOCALHOST:
+#   Allows: Slack bridge (7890), Ollama (11434), DNS (53)
+#   Blocks: everything else (Steam, CUPS, Tailscale admin, unknown services)
+#
+# The agent cannot:
 # - Open reverse shells on non-standard ports
-# - Use raw/ICMP sockets for covert channels
+# - Talk to localhost services it doesn't need (Steam, CUPS, Tailscale UI)
 # - Bind to ports (no inbound listeners/backdoors)
 # - Do DNS tunneling over non-53 UDP
 
@@ -36,8 +41,26 @@ iptables -X "$CHAIN" 2>/dev/null || true
 # Create a dedicated chain for hornet_agent
 iptables -N "$CHAIN"
 
-# Allow localhost (bridge API, postgres, ollama, pi sockets)
-iptables -A "$CHAIN" -o lo -j ACCEPT
+# ── Localhost: allow only specific services ──────────────────────────────────
+
+# Allow Slack bridge (outbound API)
+iptables -A "$CHAIN" -o lo -p tcp --dport 7890 -j ACCEPT
+
+# Allow Ollama (local LLM inference)
+iptables -A "$CHAIN" -o lo -p tcp --dport 11434 -j ACCEPT
+
+# Allow DNS on localhost
+iptables -A "$CHAIN" -o lo -p udp --dport 53 -j ACCEPT
+iptables -A "$CHAIN" -o lo -p tcp --dport 53 -j ACCEPT
+
+# Allow localhost responses (established connections back to us)
+iptables -A "$CHAIN" -o lo -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# Block everything else on localhost
+iptables -A "$CHAIN" -o lo -j LOG --log-prefix "HORNET_LOCAL_BLOCKED: " --log-level 4
+iptables -A "$CHAIN" -o lo -j DROP
+
+# ── Internet: allow only standard ports ──────────────────────────────────────
 
 # Allow DNS (UDP + TCP)
 iptables -A "$CHAIN" -p udp --dport 53 -j ACCEPT
@@ -64,6 +87,10 @@ echo "✅ Firewall active. Rules:"
 echo ""
 iptables -L "$CHAIN" -n -v --line-numbers
 echo ""
+echo "Localhost allowed: 7890 (bridge), 11434 (ollama), 53 (dns)"
+echo "Internet allowed:  80, 443, 22, 53"
+echo "Everything else:   BLOCKED + LOGGED"
+echo ""
 echo "To remove: sudo iptables -D OUTPUT -m owner --uid-owner $UID_HORNET -j $CHAIN && sudo iptables -F $CHAIN && sudo iptables -X $CHAIN"
 echo ""
 echo "⚠️  These rules are NOT persistent across reboots."
