From 15c9d809525b4897e5275fa477dfb66403af99c4 Mon Sep 17 00:00:00 2001
From: Mikkel Georgsen <msgeorgsen@gmail.com>
Date: Wed, 14 Jan 2026 12:59:10 +0000
Subject: [PATCH] Harden core.georgsen.dk firewall

- Whitelist home IP (83.89.248.247) for all traffic
- Block DNS (53), spiceproxy (3128), Proxmox UI (8006, 8008) from internet
- Add Fail2ban for SSH on PVE host
- Home IP whitelisted in Fail2ban

Access Proxmox from home IP directly or via Tailscale when remote.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 homelab-documentation.md | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/homelab-documentation.md b/homelab-documentation.md
index 9e5f03e..2b33b20 100644
--- a/homelab-documentation.md
+++ b/homelab-documentation.md
@@ -95,10 +95,16 @@ NAT masquerade enabled for 10.5.0.0/24 → vmbr0
 
 ### Firewall Rules (INPUT on vmbr0)
 
+**Home IP (83.89.248.247) is whitelisted - always allowed.**
+
 | Protocol | Port | Action | Purpose |
 |----------|------|--------|---------|
-| TCP | 111 | DROP | Block portmapper from internet |
-| UDP | 111 | DROP | Block portmapper from internet |
+| ALL | * | ACCEPT | Allow home IP (83.89.248.247) |
+| TCP/UDP | 111 | DROP | Block portmapper from internet |
+| TCP/UDP | 53 | DROP | Block DNS (prevent amplification attacks) |
+| TCP | 3128 | DROP | Block spiceproxy |
+| TCP | 8006 | DROP | Block Proxmox UI (use home IP or Tailscale) |
+| TCP | 8008 | DROP | Block Proxmox console |
 
 Saved with: `netfilter-persistent save`
 
@@ -503,8 +509,16 @@ Personal company website
 
 ### Fail2ban
 
+**core.georgsen.dk (PVE host):**
+- Config: `/etc/fail2ban/jail.local`
+- Jail: sshd
+- Max retries: 5
+- Ban time: 24 hours
+- Whitelisted: 127.0.0.1, 10.5.0.0/24, 83.89.248.247
+
 **Forgejo (VMID 114):**
 - Config: `/etc/fail2ban/jail.local`
+- Jail: forgejo
 - Max retries: 5
 - Ban time: 24 hours
 - Log: `/var/lib/forgejo/log/forgejo.log`