SpipCP
Operations

Firewall & ports

Reconciled UFW rules on a node (desired state, with drift detection and a one-click reconcile) and per-instance port exposures (a node-host port forwarded into the instance) — both desired-state, never fire-and-forget.

Two day-2 surfaces control what's reachable: node firewall rules (firewall rules you set on a node) and instance port exposures (a port on the node forwarded into one instance). For both, the rules you set are the source of truth and the system keeps the live firewall matching them — they're not one-off commands that can drift.

Node firewall rules (UFW)

Where: Node workspace → Security tab → Firewall rules card.

These are firewall rules you set on the node — a custom admin port, or an allow/deny limited to a source CIDR. They're separate from the rules a domain or route creates automatically; this card is for the rules you define yourself.

Adding a rule

+ Add rule opens a dialog with:

FieldValuesNotes
Port1–65535the node-host port
ProtocolTCP / UDP
ActionAllow / DenyAllow opens it; Deny rejects it
From (optional)a source CIDR, e.g. 203.0.113.0/24empty ⇒ any source

A bad port, protocol, action, or CIDR is rejected before anything is written. On Add rule the rule becomes active and is applied on the node. Removing a rule (Remove, confirm) deletes it from the node, then drops the row.

Drift detection & reconcile

Hand-edits to the node firewall are caught

Your rules are the source of truth. If someone deletes a rule on the node outside the panel, the firewall no longer matches — that's drift. Check drift compares your rules to what's actually live; a missing rule shows a Drift detected badge and the row reads drifted. Reconcile re-applies your rules and clears the badge. The drift check is read-only — it never changes the node; only reconcile does.

The flow works cleanly both ways: add → active on the node → someone deletes it on the node → Check drift shows drift → Reconcile restores it → Remove takes it away. Reconciling is safe to repeat.

Instance port exposures

Where: Instance workspace → Network tab → Port exposures card.

A port exposure forwards a TCP/UDP port on the node into the instance — for example, exposing a Valkey/Redis or a database port on the node's IP. It opens the port on the node and forwards it to the instance, with a matching firewall rule.

Exposing a port

+ Expose a port opens a dialog with a Node-host port (the port opened on the node), an Instance port (the port inside the container), and a Protocol (TCP/UDP). Expose port sets up the forward and the firewall rule.

Remove (confirm) closes both the forward and the firewall rule — the exposure is gone in one action.

Port exposures vs domain routes

The Network → Port exposures card lists only raw port forwards. An HTTP domain route — a hostname with TLS, reverse-proxying to the site — is managed on the site workspace's Domains / Routes tab, not here.

Permissions

Managing node firewall rules needs the firewall-manage permission (admin); operators can view. Port exposures use the same permissions as routes.

On this page