mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-04-28 19:41:17 +00:00
fd39196166
- Refactor specialized docs for conciseness and clarity - Rename files to UPPER_CASE.md convention - Verify accuracy against codebase - Fix broken links
35 lines
1.1 KiB
Markdown
35 lines
1.1 KiB
Markdown
# 🌐 Sensor Proxy Network Segmentation
|
|
|
|
Isolate the proxy to prevent lateral movement.
|
|
|
|
## 🚧 Zones
|
|
* **Pulse App**: Connects to Proxy via Unix socket (local).
|
|
* **Sensor Proxy**: Outbound SSH to Proxmox nodes only.
|
|
* **Proxmox Nodes**: Accept SSH from Proxy.
|
|
* **Logging**: Accepts RELP/TLS from Proxy.
|
|
|
|
## 🛡️ Firewall Rules
|
|
|
|
| Source | Dest | Port | Purpose | Action |
|
|
| :--- | :--- | :--- | :--- | :--- |
|
|
| **Pulse App** | Proxy | `unix` | RPC Requests | **Allow** (Local) |
|
|
| **Proxy** | Nodes | `22` | SSH (sensors) | **Allow** |
|
|
| **Proxy** | Logs | `6514` | Audit Logs | **Allow** |
|
|
| **Any** | Proxy | `22` | SSH Access | **Deny** (Use Bastion) |
|
|
| **Proxy** | Internet | `any` | Outbound | **Deny** |
|
|
|
|
## 🔧 Implementation (iptables)
|
|
```bash
|
|
# Allow SSH to Proxmox
|
|
iptables -A OUTPUT -p tcp -d <PROXMOX_SUBNET> --dport 22 -j ACCEPT
|
|
|
|
# Allow Log Forwarding
|
|
iptables -A OUTPUT -p tcp -d <LOG_HOST> --dport 6514 -j ACCEPT
|
|
|
|
# Drop all other outbound
|
|
iptables -P OUTPUT DROP
|
|
```
|
|
|
|
## 🚨 Monitoring
|
|
* Alert on outbound connections to non-whitelisted IPs.
|
|
* Monitor `pulse_proxy_limiter_rejects_total` for abuse.
|