@ebowwa/hetzner 0.1.0

package/bootstrap/firewall.js

@@ -0,0 +1,279 @@
+/**
+ * UFW Firewall Cloud-Init Components
+ *
+ * Composable cloud-init blocks for securing servers with UFW (Uncomplicated Firewall).
+ * Includes: default deny incoming, allow outgoing, rate limiting, and logging.
+ *
+ * Background: Hetzner public IPs face constant scanning and brute-force attacks.
+ * UFW provides a simple interface to iptables/nftables with secure defaults.
+ *
+ * This module is imported by cloud-init.ts (seed/worker nodes) and genesis.ts
+ * (control plane) so every new server gets firewall protection at first boot.
+ *
+ * Three composable functions return cloud-init line arrays for splicing into
+ * the appropriate YAML sections:
+ *   - ufwFirewallPackages()    → packages: section
+ *   - ufwFirewallWriteFiles()  → write_files: section
+ *   - ufwFirewallRunCmd()      → runcmd: section
+ *
+ * Security Policy:
+ *   - Default: deny incoming, allow outgoing (stateful)
+ *   - SSH (22): rate limited to prevent brute-force
+ *   - HTTP/HTTPS (80/443): allowed for web services
+ *   - Node Agent (8911): allowed for internal communication
+ *   - Tailscale (41641): allowed for VPN
+ *   - Logging: enabled with rate limiting to prevent log flooding
+ */
+/**
+ * Default firewall options for Genesis control plane servers.
+ */
+export const DEFAULT_UFW_GENESIS_OPTIONS = {
+    allowSSHFrom: [], // Empty = allow from anywhere
+    allowHTTP: true,
+    allowHTTPS: true,
+    allowNodeAgent: false, // Genesis doesn't run node-agent
+    verboseLogging: false,
+};
+/**
+ * Default firewall options for worker/seed servers.
+ */
+export const DEFAULT_UFW_WORKER_OPTIONS = {
+    allowSSHFrom: [], // Empty = allow from anywhere
+    allowHTTP: false,
+    allowHTTPS: false,
+    allowNodeAgent: true, // Workers run node-agent on port 8911
+    verboseLogging: false,
+};
+/**
+ * Packages required for UFW firewall.
+ * Returns cloud-init YAML lines for the `packages:` section.
+ *
+ * - ufw: Uncomplicated Firewall interface to iptables/nftables
+ */
+export function ufwFirewallPackages() {
+    return [
+        "  - ufw",
+    ];
+}
+/**
+ * Files to write at first boot for UFW firewall configuration.
+ * Returns cloud-init YAML lines for the `write_files:` section.
+ *
+ * Drops 2 files onto the server:
+ *
+ * 1. /etc/ufw/before.rules
+ *    - Custom before rules for stateful firewall behavior
+ *    - Allows loopback, established/related connections
+ *    - Drops invalid packets early
+ *
+ * 2. /etc/ufw/sysctl.conf
+ *    - Enables kernel network security parameters
+ *    - IP spoofing protection
+ *    - ICMP redirect protection
+ *    - Log martian packets
+ */
+export function ufwFirewallWriteFiles(options = {}) {
+    const lines = [];
+    // 1. UFW before.rules - stateful firewall rules applied before UFW rules
+    lines.push("  # UFW before.rules - stateful firewall and network security");
+    lines.push("  - path: /etc/ufw/before.rules");
+    lines.push("    owner: root:root");
+    lines.push("    permissions: '0644'");
+    lines.push("    content: |");
+    lines.push("      #");
+    lines.push("      # UFW before.rules - applied before UFW rules");
+    lines.push("      #");
+    lines.push("      # Start with the standard configuration");
+    lines.push("      *filter");
+    lines.push("      :ufw-before-input - [0:0]");
+    lines.push("      :ufw-before-output - [0:0]");
+    lines.push("      :ufw-before-forward - [0:0]");
+    lines.push("      :ufw-not-local - [0:0]");
+    lines.push("      # End of lines to adjust");
+    lines.push("");
+    lines.push("      # Allow all on loopback");
+    lines.push("      -A ufw-before-input -i lo -j ACCEPT");
+    lines.push("      -A ufw-before-output -o lo -j ACCEPT");
+    lines.push("");
+    lines.push("      # Drop invalid packets");
+    lines.push("      -A ufw-before-input -m conntrack --ctstate INVALID -j DROP");
+    lines.push("");
+    lines.push("      # Allow established and related connections");
+    lines.push("      -A ufw-before-input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT");
+    lines.push("      -A ufw-before-output -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT");
+    lines.push("");
+    lines.push("      # Allow ICMP messages (required for PMTU discovery)");
+    lines.push("      -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT");
+    lines.push("      -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT");
+    lines.push("      -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT");
+    lines.push("      -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT");
+    lines.push("");
+    lines.push("      # Drop packets with bogus TCP flags (potential scan)");
+    lines.push("      -A ufw-before-input -p tcp --tcp-flags ALL NONE -j DROP");
+    lines.push("      -A ufw-before-input -p tcp --tcp-flags ALL ALL -j DROP");
+    lines.push("");
+    lines.push("      # Commit changes");
+    lines.push("      COMMIT");
+    lines.push("");
+    // 2. UFW sysctl.conf - kernel network security parameters
+    lines.push("  # UFW sysctl.conf - kernel network hardening");
+    lines.push("  - path: /etc/ufw/sysctl.conf");
+    lines.push("    owner: root:root");
+    lines.push("    permissions: '0644'");
+    lines.push("    content: |");
+    lines.push("      #");
+    lines.push("      # UFW sysctl.conf - kernel network security parameters");
+    lines.push("      #");
+    lines.push("");
+    lines.push("      # IP spoofing protection");
+    lines.push("      net/ipv4/conf/all/rp_filter=1");
+    lines.push("      net/ipv4/conf/default/rp_filter=1");
+    lines.push("");
+    lines.push("      # Ignore ICMP redirect messages");
+    lines.push("      net/ipv4/conf/all/accept_redirects=0");
+    lines.push("      net/ipv6/conf/all/accept_redirects=0");
+    lines.push("      net/ipv4/conf/default/accept_redirects=0");
+    lines.push("      net/ipv6/conf/default/accept_redirects=0");
+    lines.push("");
+    lines.push("      # Ignore send redirects");
+    lines.push("      net/ipv4/conf/all/send_redirects=0");
+    lines.push("      net/ipv4/conf/default/send_redirects=0");
+    lines.push("");
+    lines.push("      # Log martian packets (packets with impossible addresses)");
+    lines.push("      net/ipv4/conf/all/log_martians=1");
+    lines.push("      net/ipv4/conf/default/log_martians=1");
+    lines.push("");
+    lines.push("      # SYN cookies protection (SYN flood mitigation)");
+    lines.push("      net/ipv4/tcp_syncookies=1");
+    lines.push("");
+    lines.push("      # Source address verification (spoofing protection)");
+    lines.push("      net/ipv4/conf/all/secure_redirects=1");
+    lines.push("      net/ipv4/conf/default/secure_redirects=1");
+    lines.push("");
+    return lines;
+}
+/**
+ * Commands to configure and activate UFW firewall at first boot.
+ * Returns cloud-init YAML lines for the `runcmd:` section.
+ *
+ * Order matters:
+ *   1. Set default policies (deny incoming, allow outgoing)
+ *   2. Allow loopback interface
+ *   3. Allow SSH with rate limiting (prevents brute-force)
+ *   4. Allow HTTP/HTTPS if enabled
+ *   5. Allow Node Agent port if enabled
+ *   6. Allow Tailscale port (required for VPN)
+ *   7. Enable logging with rate limiting
+ *   8. Enable and reload UFW
+ *   9. Display firewall status
+ */
+export function ufwFirewallRunCmd(options = {}) {
+    const { allowSSHFrom = [], allowHTTP = true, allowHTTPS = true, allowNodeAgent = false, additionalPorts = [], verboseLogging = false, } = options;
+    const lines = [];
+    lines.push("  # UFW Firewall: Configure and enable secure firewall");
+    lines.push("");
+    // Set default policies
+    lines.push("  # Set default policies: deny incoming, allow outgoing");
+    lines.push("  - ufw --force reset");
+    lines.push("  - ufw default deny incoming");
+    lines.push("  - ufw default allow outgoing");
+    lines.push("  - ufw default deny forwarded");
+    lines.push("");
+    // Allow loopback
+    lines.push("  # Allow loopback interface");
+    lines.push("  - ufw allow in on lo");
+    lines.push("");
+    // Allow SSH with rate limiting
+    if (allowSSHFrom.length === 0) {
+        // Allow SSH from anywhere with rate limiting
+        lines.push("  # Allow SSH with rate limiting (6 connections in 30 seconds)");
+        lines.push("  - ufw limit 22/tcp comment 'Rate-limited SSH'");
+    }
+    else {
+        // Allow SSH from specific IPs/CIDRs
+        for (const source of allowSSHFrom) {
+            lines.push(`  - ufw allow from ${source} to any port 22 proto tcp comment 'SSH from ${source}'`);
+        }
+    }
+    lines.push("");
+    // Allow HTTP if enabled
+    if (allowHTTP) {
+        lines.push("  # Allow HTTP");
+        lines.push("  - ufw allow 80/tcp comment 'HTTP'");
+    }
+    // Allow HTTPS if enabled
+    if (allowHTTPS) {
+        lines.push("  # Allow HTTPS");
+        lines.push("  - ufw allow 443/tcp comment 'HTTPS'");
+    }
+    lines.push("");
+    // Allow Node Agent port if enabled
+    if (allowNodeAgent) {
+        lines.push("  # Allow Node Agent (internal communication)");
+        lines.push("  - ufw allow 8911/tcp comment 'Node Agent'");
+        lines.push("");
+    }
+    // Allow Tailscale (required for VPN functionality)
+    lines.push("  # Allow Tailscale VPN");
+    lines.push("  - ufw allow 41641/udp comment 'Tailscale'");
+    lines.push("");
+    // Additional ports
+    if (additionalPorts.length > 0) {
+        lines.push("  # Additional custom ports");
+        for (const portConfig of additionalPorts) {
+            const protocol = portConfig.protocol || "tcp";
+            const comment = portConfig.comment || `Custom port ${portConfig.port}`;
+            lines.push(`  - ufw allow ${portConfig.port}/${protocol} comment '${comment}'`);
+        }
+        lines.push("");
+    }
+    // Configure logging
+    if (verboseLogging) {
+        lines.push("  # Enable verbose logging");
+        lines.push("  - ufw logging on");
+        lines.push("  - ufw logging high");
+    }
+    else {
+        lines.push("  # Enable rate-limited logging (prevent log flooding)");
+        lines.push("  - ufw logging on");
+        lines.push("  - ufw logging low");
+    }
+    lines.push("");
+    // Enable and reload UFW
+    lines.push("  # Enable and reload UFW");
+    lines.push("  - ufw --force enable");
+    lines.push("  - ufw reload");
+    lines.push("");
+    // Display status
+    lines.push("  # Display firewall status");
+    lines.push("  - ufw status verbose > /var/log/ufw-bootstrap-status.log");
+    lines.push("");
+    return lines;
+}
+/**
+ * Generate complete UFW firewall configuration for Genesis servers.
+ *
+ * @param options - UFW firewall options (uses DEFAULT_UFW_GENESIS_OPTIONS if not provided)
+ * @returns Object with packages, writeFiles, and runCmd arrays
+ */
+export function generateUFWFirewallForGenesis(options = DEFAULT_UFW_GENESIS_OPTIONS) {
+    return {
+        packages: ufwFirewallPackages(),
+        writeFiles: ufwFirewallWriteFiles(options),
+        runCmd: ufwFirewallRunCmd(options),
+    };
+}
+/**
+ * Generate complete UFW firewall configuration for worker/seed servers.
+ *
+ * @param options - UFW firewall options (uses DEFAULT_UFW_WORKER_OPTIONS if not provided)
+ * @returns Object with packages, writeFiles, and runCmd arrays
+ */
+export function generateUFWFirewallForWorker(options = DEFAULT_UFW_WORKER_OPTIONS) {
+    return {
+        packages: ufwFirewallPackages(),
+        writeFiles: ufwFirewallWriteFiles(options),
+        runCmd: ufwFirewallRunCmd(options),
+    };
+}
+//# sourceMappingURL=firewall.js.map

package/bootstrap/firewall.ts

@@ -0,0 +1,342 @@
+/**
+ * UFW Firewall Cloud-Init Components
+ *
+ * Composable cloud-init blocks for securing servers with UFW (Uncomplicated Firewall).
+ * Includes: default deny incoming, allow outgoing, rate limiting, and logging.
+ *
+ * Background: Hetzner public IPs face constant scanning and brute-force attacks.
+ * UFW provides a simple interface to iptables/nftables with secure defaults.
+ *
+ * This module is imported by cloud-init.ts (seed/worker nodes) and genesis.ts
+ * (control plane) so every new server gets firewall protection at first boot.
+ *
+ * Three composable functions return cloud-init line arrays for splicing into
+ * the appropriate YAML sections:
+ *   - ufwFirewallPackages()    → packages: section
+ *   - ufwFirewallWriteFiles()  → write_files: section
+ *   - ufwFirewallRunCmd()      → runcmd: section
+ *
+ * Security Policy:
+ *   - Default: deny incoming, allow outgoing (stateful)
+ *   - SSH (22): rate limited to prevent brute-force
+ *   - HTTP/HTTPS (80/443): allowed for web services
+ *   - Node Agent (8911): allowed for internal communication
+ *   - Tailscale (41641): allowed for VPN
+ *   - Logging: enabled with rate limiting to prevent log flooding
+ */
+
+/**
+ * UFW firewall configuration options.
+ */
+export interface UFWFirewallOptions {
+  /** Allow SSH from specific IPs/CIDRs (default: allow from anywhere) */
+  allowSSHFrom?: string[];
+
+  /** Allow HTTP (port 80) */
+  allowHTTP?: boolean;
+
+  /** Allow HTTPS (port 443) */
+  allowHTTPS?: boolean;
+
+  /** Allow Node Agent port (8911) */
+  allowNodeAgent?: boolean;
+
+  /** Additional ports to allow */
+  additionalPorts?: Array<{ port: number; protocol?: string; comment?: string }>;
+
+  /** Enable verbose logging (default: rate-limited logging) */
+  verboseLogging?: boolean;
+}
+
+/**
+ * Default firewall options for Genesis control plane servers.
+ */
+export const DEFAULT_UFW_GENESIS_OPTIONS: UFWFirewallOptions = {
+  allowSSHFrom: [], // Empty = allow from anywhere
+  allowHTTP: true,
+  allowHTTPS: true,
+  allowNodeAgent: false, // Genesis doesn't run node-agent
+  verboseLogging: false,
+};
+
+/**
+ * Default firewall options for worker/seed servers.
+ */
+export const DEFAULT_UFW_WORKER_OPTIONS: UFWFirewallOptions = {
+  allowSSHFrom: [], // Empty = allow from anywhere
+  allowHTTP: false,
+  allowHTTPS: false,
+  allowNodeAgent: true, // Workers run node-agent on port 8911
+  verboseLogging: false,
+};
+
+/**
+ * Packages required for UFW firewall.
+ * Returns cloud-init YAML lines for the `packages:` section.
+ *
+ * - ufw: Uncomplicated Firewall interface to iptables/nftables
+ */
+export function ufwFirewallPackages(): string[] {
+  return [
+    "  - ufw",
+  ];
+}
+
+/**
+ * Files to write at first boot for UFW firewall configuration.
+ * Returns cloud-init YAML lines for the `write_files:` section.
+ *
+ * Drops 2 files onto the server:
+ *
+ * 1. /etc/ufw/before.rules
+ *    - Custom before rules for stateful firewall behavior
+ *    - Allows loopback, established/related connections
+ *    - Drops invalid packets early
+ *
+ * 2. /etc/ufw/sysctl.conf
+ *    - Enables kernel network security parameters
+ *    - IP spoofing protection
+ *    - ICMP redirect protection
+ *    - Log martian packets
+ */
+export function ufwFirewallWriteFiles(options: UFWFirewallOptions = {}): string[] {
+  const lines: string[] = [];
+
+  // 1. UFW before.rules - stateful firewall rules applied before UFW rules
+  lines.push("  # UFW before.rules - stateful firewall and network security");
+  lines.push("  - path: /etc/ufw/before.rules");
+  lines.push("    owner: root:root");
+  lines.push("    permissions: '0644'");
+  lines.push("    content: |");
+  lines.push("      #");
+  lines.push("      # UFW before.rules - applied before UFW rules");
+  lines.push("      #");
+  lines.push("      # Start with the standard configuration");
+  lines.push("      *filter");
+  lines.push("      :ufw-before-input - [0:0]");
+  lines.push("      :ufw-before-output - [0:0]");
+  lines.push("      :ufw-before-forward - [0:0]");
+  lines.push("      :ufw-not-local - [0:0]");
+  lines.push("      # End of lines to adjust");
+  lines.push("");
+  lines.push("      # Allow all on loopback");
+  lines.push("      -A ufw-before-input -i lo -j ACCEPT");
+  lines.push("      -A ufw-before-output -o lo -j ACCEPT");
+  lines.push("");
+  lines.push("      # Drop invalid packets");
+  lines.push("      -A ufw-before-input -m conntrack --ctstate INVALID -j DROP");
+  lines.push("");
+  lines.push("      # Allow established and related connections");
+  lines.push("      -A ufw-before-input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT");
+  lines.push("      -A ufw-before-output -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT");
+  lines.push("");
+  lines.push("      # Allow ICMP messages (required for PMTU discovery)");
+  lines.push("      -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT");
+  lines.push("      -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT");
+  lines.push("      -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT");
+  lines.push("      -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT");
+  lines.push("");
+  lines.push("      # Drop packets with bogus TCP flags (potential scan)");
+  lines.push("      -A ufw-before-input -p tcp --tcp-flags ALL NONE -j DROP");
+  lines.push("      -A ufw-before-input -p tcp --tcp-flags ALL ALL -j DROP");
+  lines.push("");
+  lines.push("      # Commit changes");
+  lines.push("      COMMIT");
+  lines.push("");
+
+  // 2. UFW sysctl.conf - kernel network security parameters
+  lines.push("  # UFW sysctl.conf - kernel network hardening");
+  lines.push("  - path: /etc/ufw/sysctl.conf");
+  lines.push("    owner: root:root");
+  lines.push("    permissions: '0644'");
+  lines.push("    content: |");
+  lines.push("      #");
+  lines.push("      # UFW sysctl.conf - kernel network security parameters");
+  lines.push("      #");
+  lines.push("");
+  lines.push("      # IP spoofing protection");
+  lines.push("      net/ipv4/conf/all/rp_filter=1");
+  lines.push("      net/ipv4/conf/default/rp_filter=1");
+  lines.push("");
+  lines.push("      # Ignore ICMP redirect messages");
+  lines.push("      net/ipv4/conf/all/accept_redirects=0");
+  lines.push("      net/ipv6/conf/all/accept_redirects=0");
+  lines.push("      net/ipv4/conf/default/accept_redirects=0");
+  lines.push("      net/ipv6/conf/default/accept_redirects=0");
+  lines.push("");
+  lines.push("      # Ignore send redirects");
+  lines.push("      net/ipv4/conf/all/send_redirects=0");
+  lines.push("      net/ipv4/conf/default/send_redirects=0");
+  lines.push("");
+  lines.push("      # Log martian packets (packets with impossible addresses)");
+  lines.push("      net/ipv4/conf/all/log_martians=1");
+  lines.push("      net/ipv4/conf/default/log_martians=1");
+  lines.push("");
+  lines.push("      # SYN cookies protection (SYN flood mitigation)");
+  lines.push("      net/ipv4/tcp_syncookies=1");
+  lines.push("");
+  lines.push("      # Source address verification (spoofing protection)");
+  lines.push("      net/ipv4/conf/all/secure_redirects=1");
+  lines.push("      net/ipv4/conf/default/secure_redirects=1");
+  lines.push("");
+
+  return lines;
+}
+
+/**
+ * Commands to configure and activate UFW firewall at first boot.
+ * Returns cloud-init YAML lines for the `runcmd:` section.
+ *
+ * Order matters:
+ *   1. Set default policies (deny incoming, allow outgoing)
+ *   2. Allow loopback interface
+ *   3. Allow SSH with rate limiting (prevents brute-force)
+ *   4. Allow HTTP/HTTPS if enabled
+ *   5. Allow Node Agent port if enabled
+ *   6. Allow Tailscale port (required for VPN)
+ *   7. Enable logging with rate limiting
+ *   8. Enable and reload UFW
+ *   9. Display firewall status
+ */
+export function ufwFirewallRunCmd(options: UFWFirewallOptions = {}): string[] {
+  const {
+    allowSSHFrom = [],
+    allowHTTP = true,
+    allowHTTPS = true,
+    allowNodeAgent = false,
+    additionalPorts = [],
+    verboseLogging = false,
+  } = options;
+
+  const lines: string[] = [];
+
+  lines.push("  # UFW Firewall: Configure and enable secure firewall");
+  lines.push("");
+
+  // Set default policies
+  lines.push("  # Set default policies: deny incoming, allow outgoing");
+  lines.push("  - ufw --force reset");
+  lines.push("  - ufw default deny incoming");
+  lines.push("  - ufw default allow outgoing");
+  lines.push("  - ufw default deny forwarded");
+  lines.push("");
+
+  // Allow loopback
+  lines.push("  # Allow loopback interface");
+  lines.push("  - ufw allow in on lo");
+  lines.push("");
+
+  // Allow SSH with rate limiting
+  if (allowSSHFrom.length === 0) {
+    // Allow SSH from anywhere with rate limiting
+    lines.push("  # Allow SSH with rate limiting (6 connections in 30 seconds)");
+    lines.push("  - ufw limit 22/tcp comment 'Rate-limited SSH'");
+  } else {
+    // Allow SSH from specific IPs/CIDRs
+    for (const source of allowSSHFrom) {
+      lines.push(`  - ufw allow from ${source} to any port 22 proto tcp comment 'SSH from ${source}'`);
+    }
+  }
+  lines.push("");
+
+  // Allow HTTP if enabled
+  if (allowHTTP) {
+    lines.push("  # Allow HTTP");
+    lines.push("  - ufw allow 80/tcp comment 'HTTP'");
+  }
+
+  // Allow HTTPS if enabled
+  if (allowHTTPS) {
+    lines.push("  # Allow HTTPS");
+    lines.push("  - ufw allow 443/tcp comment 'HTTPS'");
+  }
+  lines.push("");
+
+  // Allow Node Agent port if enabled
+  if (allowNodeAgent) {
+    lines.push("  # Allow Node Agent (internal communication)");
+    lines.push("  - ufw allow 8911/tcp comment 'Node Agent'");
+    lines.push("");
+  }
+
+  // Allow Tailscale (required for VPN functionality)
+  lines.push("  # Allow Tailscale VPN");
+  lines.push("  - ufw allow 41641/udp comment 'Tailscale'");
+  lines.push("");
+
+  // Additional ports
+  if (additionalPorts.length > 0) {
+    lines.push("  # Additional custom ports");
+    for (const portConfig of additionalPorts) {
+      const protocol = portConfig.protocol || "tcp";
+      const comment = portConfig.comment || `Custom port ${portConfig.port}`;
+      lines.push(`  - ufw allow ${portConfig.port}/${protocol} comment '${comment}'`);
+    }
+    lines.push("");
+  }
+
+  // Configure logging
+  if (verboseLogging) {
+    lines.push("  # Enable verbose logging");
+    lines.push("  - ufw logging on");
+    lines.push("  - ufw logging high");
+  } else {
+    lines.push("  # Enable rate-limited logging (prevent log flooding)");
+    lines.push("  - ufw logging on");
+    lines.push("  - ufw logging low");
+  }
+  lines.push("");
+
+  // Enable and reload UFW
+  lines.push("  # Enable and reload UFW");
+  lines.push("  - ufw --force enable");
+  lines.push("  - ufw reload");
+  lines.push("");
+
+  // Display status
+  lines.push("  # Display firewall status");
+  lines.push("  - ufw status verbose > /var/log/ufw-bootstrap-status.log");
+  lines.push("");
+
+  return lines;
+}
+
+/**
+ * Generate complete UFW firewall configuration for Genesis servers.
+ *
+ * @param options - UFW firewall options (uses DEFAULT_UFW_GENESIS_OPTIONS if not provided)
+ * @returns Object with packages, writeFiles, and runCmd arrays
+ */
+export function generateUFWFirewallForGenesis(
+  options: UFWFirewallOptions = DEFAULT_UFW_GENESIS_OPTIONS,
+): {
+  packages: string[];
+  writeFiles: string[];
+  runCmd: string[];
+} {
+  return {
+    packages: ufwFirewallPackages(),
+    writeFiles: ufwFirewallWriteFiles(options),
+    runCmd: ufwFirewallRunCmd(options),
+  };
+}
+
+/**
+ * Generate complete UFW firewall configuration for worker/seed servers.
+ *
+ * @param options - UFW firewall options (uses DEFAULT_UFW_WORKER_OPTIONS if not provided)
+ * @returns Object with packages, writeFiles, and runCmd arrays
+ */
+export function generateUFWFirewallForWorker(
+  options: UFWFirewallOptions = DEFAULT_UFW_WORKER_OPTIONS,
+): {
+  packages: string[];
+  writeFiles: string[];
+  runCmd: string[];
+} {
+  return {
+    packages: ufwFirewallPackages(),
+    writeFiles: ufwFirewallWriteFiles(options),
+    runCmd: ufwFirewallRunCmd(options),
+  };
+}