From 2ad50e4d5b3f4e397a35aac8b0f551d67b95a1d1 Mon Sep 17 00:00:00 2001 From: sjat Date: Sat, 6 Jun 2026 16:00:19 +0200 Subject: [PATCH] docs(capabilities): note two-layer firewall model (ADR-020) --- docs/CAPABILITIES.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/CAPABILITIES.md b/docs/CAPABILITIES.md index b71ee4a..d971544 100644 --- a/docs/CAPABILITIES.md +++ b/docs/CAPABILITIES.md @@ -31,6 +31,10 @@ decisions this frame enables. _(DHCP, firewall, mDNS reflection live on OPNsense — Ansible-managed, not containers.)_ +_Firewalling is two-layer (ADR-020): OPNsense at the perimeter + inter-VLAN, plus +per-host `nftables` (default-deny inbound + east-west allowlist) rendered by the `base` +role from a shared `group_vars` service catalog. Both layers are still to be built._ + ## 2. Identity & access — [P] | Capability | Candidate service(s) | Tier | Commitment | What it does | Notes / open |