- RUN.md: start/stop/inspect/smoke-test commands for the hardened
DeerFlow stack on data-nuc, including the docker compose -f overlay
invocation and a copy-paste smoke test that verifies allow + block
destinations from inside the container.
- scripts/deerflow-firewall.sh: status now uses iptables -nvL so the
input-interface column is included, and the awk filter shows the
header plus all rules matching br-deerflow. The previous version
used -nL which omits the interface column entirely, so the grep
found nothing even when the rules were correctly installed.
Adds the host-level egress firewall recommended by the upstream
DeerFlow team's "run in a VLAN" guidance, adapted to a Fritzbox-only
home network where LAN VLANs are not available.
- docker/docker-compose.override.yaml: pins the upstream deer-flow
Docker network to a stable Linux bridge name br-deerflow so the
firewall can address it without guessing Docker's auto-generated
br-<hash>. Used as a -f overlay on top of the upstream compose file.
- scripts/deerflow-firewall.sh: idempotent up/down/status wrapper that
installs DOCKER-USER iptables rules. Allowlist for 10.67.67.1 (Searx)
and 10.67.67.2 (XTTS/Whisper/Ollama-local), hard block for
192.168.3.0/24 (home LAN), 10.0.0.0/8, 172.16.0.0/12. Stateful return
rule keeps inbound LAN access to published ports working.
- scripts/deerflow-firewall.nix: NixOS module snippet defining a
systemd unit ordered After=docker.service so the rules survive
dockerd restarts and follow its lifecycle. Copy into
configuration.nix and nixos-rebuild switch.
- HARDENING.md: new section 2.7 "Network isolation (egress firewall)"
with allow/block tables, bring-up steps, and smoke-test commands.
Guarantees: rules match on -i br-deerflow, so if the bridge does not
exist, the rules are no-ops and do not affect any other container
(paperclip, telebrowser, openclaw-gateway, ...). Stopping the
container leaves the rules in place but inert; stopping the systemd
unit removes them.
