Turning on #IPFire (a hardened firewall distro) has made me paranoid. The intrusion detection system alerts on all the things now.

I cranked down the firewall in the DMZ to only allow the bare minimum outbound connectivity. I wrote k8s network policies so each pod is firewalled so it can only access the services it requires, and vice-versa, so if somebody can execute code remotely, they’re still stuck in a small sandbox isolated from the rest of the environment. None of the k8s environment is accessible from outside; all traffic must pass through haproxy. None of the devices on the WLAN can access the DMZ.

Hopefully I’ve made hard enough to get anywhere that the bad guys will just look for easier targets.