From b3354888234ab322f7e824f92aed55ad5ae8cce6 Mon Sep 17 00:00:00 2001
From: Mikkel Georgsen <msgeorgsen@gmail.com>
Date: Wed, 14 Jan 2026 12:54:04 +0000
Subject: [PATCH] Block portmapper (port 111) from public internet

Fix for CERT-Bund security notification about exposed rpcbind service.
Added iptables rules to drop port 111 on vmbr0 (public interface).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 homelab-documentation.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/homelab-documentation.md b/homelab-documentation.md
index 2636de5..9e5f03e 100644
--- a/homelab-documentation.md
+++ b/homelab-documentation.md
@@ -93,6 +93,15 @@ iface vmbr2 inet static
 
 NAT masquerade enabled for 10.5.0.0/24 → vmbr0
 
+### Firewall Rules (INPUT on vmbr0)
+
+| Protocol | Port | Action | Purpose |
+|----------|------|--------|---------|
+| TCP | 111 | DROP | Block portmapper from internet |
+| UDP | 111 | DROP | Block portmapper from internet |
+
+Saved with: `netfilter-persistent save`
+
 ### DHCP (dnsmasq)
 - Range: 10.5.0.100 - 10.5.0.200
 - Lease time: 24h