conf(node): default firewall to zone with single-node 5432 override

Vonng · Vonng · commit fa31213cee43 · 2026-02-13T15:23:04.000+08:00
diff --git a/README.md b/README.md
diff --git a/conf/demo/debian.yml b/conf/demo/debian.yml
@@ -412,7 +412,7 @@ all:
     # NODE_SEC
     #-----------------------------------------------------------------
     node_selinux_mode: permissive     # set selinux mode: enforcing,permissive,disabled
-    node_firewall_mode: zone          # firewall mode: none (skip), off (disable), zone (enable & config)
+    node_firewall_mode: zone          # firewall mode: zone (default), off (disable), none (skip & self-managed)
     node_firewall_intranet:           # which intranet cidr considered as internal network
       - 10.0.0.0/8
       - 192.168.0.0/16
@@ -421,7 +421,6 @@ all:
       - 22                            # enable ssh access
       - 80                            # enable http access
       - 443                           # enable https access
-      - 5432                          # enable postgresql access (think twice before exposing it!)
 
     #-----------------------------------------------------------------
     # NODE_TUNE
diff --git a/conf/demo/el.yml b/conf/demo/el.yml
@@ -419,7 +419,7 @@ all:
     # NODE_SEC
     #-----------------------------------------------------------------
     node_selinux_mode: permissive     # set selinux mode: enforcing,permissive,disabled
-    node_firewall_mode: zone          # firewall mode: none (skip), off (disable), zone (enable & config)
+    node_firewall_mode: zone          # firewall mode: zone (default), off (disable), none (skip & self-managed)
     node_firewall_intranet:           # which intranet cidr considered as internal network
       - 10.0.0.0/8
       - 192.168.0.0/16
@@ -428,7 +428,6 @@ all:
       - 22                            # enable ssh access
       - 80                            # enable http access
       - 443                           # enable https access
-      - 5432                          # enable postgresql access (think twice before exposing it!)
 
     #-----------------------------------------------------------------
     # NODE_TUNE
diff --git a/conf/ha/safe.yml b/conf/ha/safe.yml
@@ -165,8 +165,7 @@ all:
     repo_remove: true                 # remove existing repo on admin node during repo bootstrap
     node_repo_remove: true            # remove existing node repo for node managed by pigsty
     #node_selinux_mode: enforcing     # set selinux mode: enforcing,permissive,disabled
-    node_firewall_mode: zone          # firewall mode: none (skip), off (disable), zone (enable & config)
-
+    node_firewall_mode: zone          # firewall mode: zone (default), off (disable), none (skip & self-managed)
     repo_extra_packages: [ pg18-main ] #,pg18-core ,pg18-time ,pg18-gis ,pg18-rag ,pg18-fts ,pg18-olap ,pg18-feat ,pg18-lang ,pg18-type ,pg18-util ,pg18-func ,pg18-admin ,pg18-stat ,pg18-sec ,pg18-fdw ,pg18-sim ,pg18-etl]
     pg_version: 18                    # default postgres version
     #pg_extensions: [ pg18-time ,pg18-gis ,pg18-rag ,pg18-fts ,pg18-olap ,pg18-feat ,pg18-lang ,pg18-type ,pg18-util ,pg18-func ,pg18-admin ,pg18-stat ,pg18-sec ,pg18-fdw ,pg18-sim ,pg18-etl]
diff --git a/conf/ha/simu.yml b/conf/ha/simu.yml
@@ -299,6 +299,7 @@ all:
     #==========================================================#
     node_id_from_pg: true             # use nodename rather than pg identity as hostname
     node_tune: tiny                   # use small node template
+    node_firewall_mode: zone          # default: trust intranet, expose selected public ports
     node_timezone: Asia/Hong_Kong     # use Asia/Hong_Kong Timezone
     node_dns_servers:                 # DNS servers in /etc/resolv.conf
       - 10.10.10.10
diff --git a/conf/meta.yml b/conf/meta.yml
@@ -148,6 +148,7 @@ all:
     #node_repo_modules: local             # use this if you want to build & user local repo
     node_repo_remove: true                # remove existing node repo for node managed by pigsty
     #node_packages: [openssh-server]      # packages to be installed current nodes with the latest version
+    node_firewall_public_port: [22, 80, 443, 5432]    # expose 5432 for demo convenience, remove in production!
 
     #----------------------------------------------#
     # PGSQL : https://pigsty.io/docs/pgsql/param
diff --git a/conf/vibe.yml b/conf/vibe.yml
@@ -58,8 +58,8 @@ all:
     node_repo_modules: node,infra,pgsql # add these repos directly to the singleton node
     node_packages: [ openssh-server, juicefs, restic, rclone, uv, opencode, golang, asciinema, tmux ]
     docker_enabled: true                # enable docker service
-    node_firewall_mode: none            # change to 'zone' to enable firewall
-    node_firewall_public_port: [22, 80, 443, 5432]    # add custom public ports
+    node_firewall_mode: zone            # default: trust intranet, expose selected public ports
+    node_firewall_public_port: [22, 80, 443, 5432]    # expose 5432 for remote access, remove in production!
     #docker_registry_mirrors: ["https://docker.1panel.live","https://docker.1ms.run","https://docker.xuanyuan.me","https://registry-1.docker.io"]
 
     #----------------------------------------------#
diff --git a/files/cmdb.sql b/files/cmdb.sql
@@ -1380,9 +1380,9 @@ INSERT INTO pigsty.default_var VALUES
 (226, 'node_pip_packages', '""', 'NODE', 'NODE_PACKAGE', 'string', 'C', 'pip packages to be installed in uv venv', NULL),
 
 (230, 'node_selinux_mode', '"permissive"', 'NODE', 'NODE_SEC', 'enum', 'C', 'selinux mode: enforcing,permissive,disabled', NULL),
-(231, 'node_firewall_mode', '"none"', 'NODE', 'NODE_SEC', 'enum', 'C', 'firewall mode: none (skip), off (disable), zone (enable & config)', NULL),
+(231, 'node_firewall_mode', '"zone"', 'NODE', 'NODE_SEC', 'enum', 'C', 'firewall mode: zone (default), off (disable), none (skip & self-managed)', NULL),
 (232, 'node_firewall_intranet', '["10.0.0.0/8","192.168.0.0/16","172.16.0.0/12"]', 'NODE', 'NODE_SEC', 'cidr[]', 'C', 'node trusted intranet cidr list', NULL),
-(233, 'node_firewall_public_port', '[22,80,443,5432]', 'NODE', 'NODE_SEC', 'port[]', 'C', 'ports open to public in zone mode', NULL),
+(233, 'node_firewall_public_port', '[22,80,443]', 'NODE', 'NODE_SEC', 'port[]', 'C', 'ports open to public in zone mode', NULL),
 
 (240, 'node_disable_numa', 'false', 'NODE', 'NODE_TUNE', 'bool', 'C', 'disable node numa, reboot required', NULL),
 (241, 'node_disable_swap', 'false', 'NODE', 'NODE_TUNE', 'bool', 'C', 'disable node swap, use with caution', NULL),
diff --git a/roles/node/README.md b/roles/node/README.md
@@ -127,7 +127,7 @@ node (full role)
 | Variable             | Default | Description                                                       |
 |----------------------|---------|-------------------------------------------------------------------|
 | `node_selinux_mode`  | `enum`  | set selinux mode: enforcing,permissive,disabled                   |
-| `node_firewall_mode` | `enum`  | firewall mode: none (skip), off (disable), zone (enable & config) |
+| `node_firewall_mode` | `enum`  | firewall mode: zone (default), off (disable), none (skip & self-managed) |
 
 
 ### Packages
@@ -215,14 +215,15 @@ Some features have OS-specific implementations:
 
 ## Security Considerations
 
-The default configuration prioritizes **convenience for development/testing**.
+The default configuration provides a baseline secure stance while keeping development convenient.
 For production environments, review and adjust the following:
 
 | Setting                     | Default         | Production Recommendation                   |
 |-----------------------------|-----------------|---------------------------------------------|
 | `node_admin_sudo`           | `nopass`        | Use `limit` or `all` for least privilege    |
 | `node_selinux_mode`         | `permissive`    | Consider `enforcing` for critical systems   |
-| `node_firewall_public_port` | includes `5432` | Remove PostgreSQL port from public exposure |
+| `node_firewall_mode`        | `zone`          | Keep `zone`; use `none` only if self-managed |
+| `node_firewall_public_port` | `[22, 80, 443]` | Add extra ports (e.g. 5432) only when required |
 | `vip_auth_pass`             | auto-generated  | Set explicit strong password                |
 
 **Recommended production settings**:
@@ -231,7 +232,7 @@ For production environments, review and adjust the following:
 node_admin_sudo: limit              # Limited sudo commands without password
 node_selinux_mode: enforcing        # Full SELinux enforcement
 node_firewall_mode: zone            # trust intranet, expose 22 80 443 only
-node_firewall_public_port: [22, 80, 443]  # Remove 5432 from public
+node_firewall_public_port: [22, 80, 443]  # Minimal public exposure
 vip_auth_pass: '<strong-secret>'    # Explicit VRRP authentication
 ```
 
@@ -242,7 +243,7 @@ Ensure your network is trusted or use a bastion host.
 
 ## Firewall Management
 
-Enable firewall with `node_firewall_mode: zone`, then apply: `./node.yml -l <target> -t node_firewall`
+`node_firewall_mode` defaults to `zone` (trusted intranet + restricted public ports). Re-apply firewall rules with: `./node.yml -l <target> -t node_firewall`
 
 > **Note**: Firewall rules are **additive only**. To remove rules, use manual commands:
 
diff --git a/roles/node/defaults/main.yml b/roles/node/defaults/main.yml
@@ -34,7 +34,7 @@ node_pip_packages: ''             # pip packages to be installed in uv venv
 # NODE_SEC
 #-----------------------------------------------------------------
 node_selinux_mode: permissive     # set selinux mode: enforcing,permissive,disabled
-node_firewall_mode: none          # firewall mode: none (skip), off (disable), zone (enable & config)
+node_firewall_mode: zone          # firewall mode: zone (default), off (disable), none (skip & self-managed)
 node_firewall_intranet:           # which intranet cidr considered as internal network
   - 10.0.0.0/8
   - 192.168.0.0/16
@@ -43,7 +43,6 @@ node_firewall_public_port:        # expose these ports to public network in (zon
   - 22                            # enable ssh access
   - 80                            # enable http access
   - 443                           # enable https access
-  - 5432                          # enable postgresql access (think twice before exposing it!)
 
 #-----------------------------------------------------------------
 # NODE_TUNE
diff --git a/roles/node/tasks/sec.yml b/roles/node/tasks/sec.yml
@@ -17,16 +17,16 @@
 #--------------------------------------------------------------#
 # Firewall                                       [node_firewall]
 #--------------------------------------------------------------#
-# mode: off (disable firewall), none (do nothing), zone (trust intranet)
+# mode: zone (default, trust intranet), off (disable firewall), none (skip & self-managed)
 - name: setup node firewall
   tags: [ node_sec, node_firewall ]
-  when: node_firewall_mode|default('none') != 'none'
+  when: node_firewall_mode|default('zone') != 'none'
   ignore_errors: true
   vars:
     fw_intranet: "{{ node_firewall_intranet | default([]) | join(' ') }}"
     fw_public: "{{ node_firewall_public_port | default([]) | join(' ') }}"
   shell: |
-    MODE="{{ node_firewall_mode }}"
+    MODE="{{ node_firewall_mode | default('zone') }}"
     INTRANET="{{ fw_intranet }}"
     PUBLIC="{{ fw_public }}"
     if command -v firewall-cmd &>/dev/null; then
