# SystemRescue Firewall Hardening

## Default state

- **IPv4**: INPUT policy ACCEPT (wide open — all traffic allowed inbound)
- **IPv6**: INPUT policy DROP (only established, loopback, and ICMPv6 allowed)
- **nftables** manages both tables (shown via `nft list ruleset`)

## Recommended lockdown (headless remote-access use)

```bash
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -F INPUT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j DROP
```

## Persistence limitation

SystemRescue mounts the USB as **read-only** (`/run/archiso/bootmnt`). Firewall rules cannot be saved to the USB without a backing-store. To make them persistent:

1. Boot with `cow_label=RESCUE_DATA` (backing-store on a separate partition)
2. Save rules: `iptables-save > /run/archiso/cow/root/etc/iptables/rules.v4`
3. Create a startup script in `/etc/init.d/` or use `sysrescue.d/` autorun

## Service audit (SystemRescue 13.01 defaults)

Running services by default:
- dbus-broker, getty@tty1, NetworkManager, polkit, rtkit-daemon
- sshd (only if started), systemd-journald, systemd-logind, systemd-udevd
- systemd-userdbd, upower, wpa_supplicant, user@0

Safe to disable for headless rescue use:
```bash
systemctl stop wpa_supplicant bluetooth upower
systemctl disable wpa_supplicant bluetooth upower
```

## HTTP/API reverse-proxy approach

If the laptop sits behind NAT and a direct SSH connection is impossible, consider:
- SystemRescue's built-in `reverse_ssh` script (see manual: Reverse_ssh)
- Tailscale (install via pacman in SystemRescue with backing-store)
