Firewall — Live Zone Posture

Captured: 2026-06-03 (read-only UniFi API scan) Source: uv run python -m scripts.labctl unifi firewall-policies + ... zones Mode: Zone-Based Firewall (ZBF). The legacy firewallrule endpoint returns [] — all enforcement is via zone policies (119 total: 111 system/return, 8 user-defined).

This is the as-configured firewall, complementing the design/runbook in firewall-policy.md. Where they differ, this document is the truth.

---

1. Zones and their networks

graph TB
    subgraph INTERNAL["Internal (trusted)"]
        I1["GenPop v1"]
        I2["Personal v2"]
        I4["Servers v4"]
        I10["Management v10"]
    end
    subgraph IOT["IoT (untrusted)"]
        T5["IoT v5"]
        T3["Appliances v3"]
    end
    subgraph SEC["Security"]
        S6["Cameras v6"]
    end
    subgraph VPNZ["Vpn"]
        VP["VPN pool 192.168.2.0/24"]
    end
    subgraph EXT["External"]
        WAN["WAN1 + WAN2"]
    end
    GW["Gateway (UDM itself)"]
    HS["Hotspot (empty)"]
    DMZ["Dmz (empty)"]

Zone	Type	Member networks
Internal	built-in (editable)	GenPop (1), Personal (2), Servers (4), Management (10)
IoT	custom	IoT (5), Appliances (3)
Security	custom	Security/Cameras (6)
Vpn	built-in	VPN Server pool
External	built-in	Internet 1, Internet 2
Gateway	built-in	the UDM SE itself
Hotspot	built-in	(no networks)
Dmz	built-in	(no networks)

---

2. Effective zone matrix (new connections)

Read row → column. "Established/related" return traffic is always allowed; this matrix is about who may initiate a new connection.

↓ from / → to	Internal	IoT	Security	Vpn	External	Gateway
Internal	partial¹	partial²	BLOCK	ALLOW	ALLOW	ALLOW
IoT	BLOCK	BLOCK	BLOCK	BLOCK	ALLOW	DNS/DHCP only³
Security	BLOCK	BLOCK	BLOCK	BLOCK	ALLOW	DNS/DHCP only³
Vpn	ALLOW	BLOCK	BLOCK	ALLOW	ALLOW	ALLOW
External	port-fwd only⁴	BLOCK	BLOCK	BLOCK	—	services only⁵
Gateway	ALLOW	ALLOW	ALLOW	ALLOW	ALLOW	—

1. Internal → Internal is governed by intra-zone policies — see §3. Most inter-VLAN flows are blocked with named exceptions.
2. Internal → IoT allows only Personal → Appliances; everything else (including any → IoT VLAN 5) is blocked.
3. IoT/Security → Gateway is allowed except TCP/UDP 22, 80, 443 (admin ports, group "IoT Obstacles"); mDNS (224.0.0.251) is explicitly allowed. So these zones can use the gateway for DNS (53) and DHCP but not its admin UI.
4. External → Internal allows only the three port-forwards to 192.168.6.243 (80, 8080, 443).
5. External → Gateway allows specific services only (device adoption, IPsec, ESP, L2TP, DHCPv6, IPv6 ND/RA); all else blocked.

---

3. Internal zone — inter-VLAN rules (the important part)

GenPop, Personal, Servers, and Management all live inside the Internal zone, so traffic between those VLANs is controlled by intra-zone policies evaluated top-to-bottom:

#	Policy	Action	Effect
10000	Management (v10) → Internal (any)	ALLOW	Mgmt can reach GenPop/Personal/Servers
10001	GenPop (v1) → Servers (v4)	ALLOW
10002	Personal (v2) → Servers (v4)	ALLOW
10003	Internal → Internal, state INVALID	DROP	hygiene
10004	Internal → Internal, state NEW+INVALID	BLOCK	blocks all other new inter-VLAN
max	Internal → Internal	ALLOW (default)	only matched by established/related

graph LR
    MGMT["Management v10"]
    GP["GenPop v1"]
    PERS["Personal v2"]
    SRV["Servers v4"]
    APPL["Appliances v3 (IoT zone)"]

    MGMT -->|ALLOW| GP
    MGMT -->|ALLOW| PERS
    MGMT -->|ALLOW| SRV
    GP -->|ALLOW| SRV
    PERS -->|ALLOW| SRV
    PERS -->|ALLOW| APPL
    GP -.->|BLOCK| PERS
    SRV -.->|"BLOCK (new)"| GP
    SRV -.->|"BLOCK (new)"| PERS

Net result — who can start a conversation with whom (data VLANs):

Source ↓ \ Dest →	GenPop 1	Personal 2	Appliances 3	Servers 4	IoT 5	Security 6	Mgmt 10	Internet
GenPop 1	—	✗	✗	✓	✗	✗	✗	✓
Personal 2	✗	—	✓	✓	✗	✗	✗	✓
Appliances 3	✗	✗	—	✗	✗	✗	✗	✓
Servers 4	✗*	✗*	✗	—	✗	✗	✗	✓
IoT 5	✗	✗	✗	✗	—	✗	✗	✓
Security 6	✗	✗	✗	✗	✗	—	✗	✓
Mgmt 10	✓	✓	✗	✓	✗	✗	—	✓

✓ = new connections allowed ✗ = blocked (✗* = blocked to initiate, but established replies to GenPop/Personal-initiated sessions are allowed). Intra-VLAN traffic (same subnet) is switched, never hits these rules, and is always allowed. "Internet" assumes working DNS — see the DNS path.

Notable: Management → Appliances/IoT/Security is BLOCKED. The "Allow Management → All" policy is scoped to the Internal zone only, so it does not reach the IoT or Security zones.

---

4. All user-defined policies (verbatim)

Index	Name	From	To	Action	State/Ports
10000	Allow Management → All	Internal: Management v10	Internal: any	ALLOW	all
10001	Allow GenPop → Servers	Internal: GenPop v1	Internal: Servers v4	ALLOW	all
10002	Allow Personal → Servers	Internal: Personal v2	Internal: Servers v4	ALLOW	all
10003	Drop invalid state	Internal	Internal	DROP	INVALID
10004	Block inter-VLAN	Internal	Internal	BLOCK	NEW+INVALID
10000	Personal → Appliances	Internal: Personal v2	IoT: Appliances v3	ALLOW	all
10000	Block IoT → Gateway mgmt	IoT	Gateway	BLOCK	ports 22/80/443
10000	Block Security → Gateway	Security	Gateway	BLOCK	ports 22/80/443

System-generated mDNS allows (Internal/IoT/Security → Gateway 224.0.0.251) and the External service/port-forward rules are present as predefined policies.

---

5. External / WAN ingress

graph LR
    NET["Internet"]
    UDM["UDM SE"]
    SALT["saltierpoop<br/>192.168.6.243"]
    NET -->|"tcp/udp 80"| UDM --> SALT
    NET -->|"tcp/udp 8080"| UDM
    NET -->|"tcp/udp 443"| UDM
    NET -.->|"all else: BLOCK"| UDM

Only the three saltierpoop port-forwards (80, 8080, 443) and standard gateway service rules accept inbound from the Internet. Everything else from External → Internal/IoT/Security/Vpn is blocked.

---

6. Cross-checks against design

• IoT and Security isolation matches firewall-policy.md: ✓
• GenPop/Personal → Servers exceptions present: ✓
• Personal → Appliances exception present: ✓
• Gap: No explicit Personal → IoT allow, so AirPlay/HomeKit to HomePod and Apple TV (both on IoT) is limited to mDNS discovery — unicast streaming is blocked. Tracked in observations.