V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

includes/initramfs-tools/files/dropbear_fw.sh

@@ -18,16 +18,6 @@
 #
 # IPv6 is not supported in initramfs at this stage due to complexity.
 # Only trusted IPv4 addresses are allowed.
-#
-# ┌─────────────────────────────────────────────────────────────┐
-# │ ACCESS LOGIC:                                               │
-# │                                                             │
-# │ - If is_jump_host = true:                                   │
-# │     then allow all IPv4 connections to the Dropbear port    │
-# │                                                             │
-# │ - If is_jump_host = false:                                  │
-# │     then allow only the bastion/jump-server IPv4 address    │
-# └─────────────────────────────────────────────────────────────┘
 
 PREREQ="dropbear"
 
@@ -42,6 +32,8 @@ DROPBEAR_FW_CONF="/etc/initramfs-tools/conf.d/dropbear_fw.cnf"
 if [ -f "${DROPBEAR_FW_CONF}" ]; then
   # shellcheck disable=SC1090
   . "${DROPBEAR_FW_CONF}"
+else
+  DROPBEAR_FIREWALL_ENABLED=0
 fi
 
 ### Abort if the firewall flag is not set or disabled.
@@ -65,17 +57,8 @@ if command -v iptables >/dev/null 2>&1; then
   ### Allow local loopback.
   iptables -A INPUT -i lo -j ACCEPT
 
-  ### Access control based on the host role.
-  if [ "${DROPBEAR_BASTION_ENABLE}" = true ]; then
-
-    ### SSH Bastion Host: allow any source IP on the dropbear SSH port.
-    iptables -A INPUT -p tcp --dport "${DROPBEAR_PORT}" -j ACCEPT
-
-  else
-
-    ### Infrastructure host / Jump-Server / VPN-Exit-Node: only allow SSH from the specified IPv4.
-    iptables -A INPUT -p tcp --dport "${DROPBEAR_PORT}" -s "${DROPBEAR_JUMP_SERVER_IP}" -j ACCEPT
-  fi
+  ### Infrastructure host / Jump-Server / VPN-Exit-Node: only allow SSH from the specified IPv4.
+  iptables -A INPUT -p tcp --dport "${DROPBEAR_PORT}" -s "${DROPBEAR_JUMP_SERVER_IP}" -j ACCEPT
 
 fi
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh