diff --git a/docs/CAPABILITIES.md b/docs/CAPABILITIES.md index b71ee4a..d971544 100644 --- a/docs/CAPABILITIES.md +++ b/docs/CAPABILITIES.md @@ -31,6 +31,10 @@ decisions this frame enables. _(DHCP, firewall, mDNS reflection live on OPNsense — Ansible-managed, not containers.)_ +_Firewalling is two-layer (ADR-020): OPNsense at the perimeter + inter-VLAN, plus +per-host `nftables` (default-deny inbound + east-west allowlist) rendered by the `base` +role from a shared `group_vars` service catalog. Both layers are still to be built._ + ## 2. Identity & access — [P] | Capability | Candidate service(s) | Tier | Commitment | What it does | Notes / open |