ADR-0002: No Host Firewall Rules in Initial Foundation

Status

Accepted

Context

The HomeOps Server Foundation Phase 1 focuses on establishing a clean, understandable, and rebuildable Proxmox VE base system.

At this stage, the primary objectives are:

To validate basic host stability and management access
To document baseline architectural and security decisions
To avoid introducing configuration complexity before service roles are defined

While Proxmox VE provides integrated host-level firewall capabilities, effective firewall policy design depends on a clear understanding of:

Exposed services
Network segmentation
Trust boundaries
Operational access patterns

None of these are fully defined during the initial foundation phase.

Decision

No host-level firewall rules will be actively enforced on the Proxmox VE host during Phase 1 of the HomeOps Server Foundation.

The host will rely on:

Default service exposure
Network-level controls provided by the upstream router
Limited and controlled management access

Firewall configuration is explicitly deferred until later phases, once service roles and network segmentation are introduced.

Consequences

Positive

Reduced risk of accidental lockout during early setup
Simpler troubleshooting and recovery
Clear separation between foundation setup and security enforcement
Firewall policies can be designed with full context later

Negative

The host does not benefit from defense-in-depth at the host firewall layer during Phase 1
Security relies more heavily on upstream network controls

Notes

This decision is not a statement against host-based firewalls.

It reflects a deliberate sequencing choice: firewall rules will be introduced only after the system architecture, access model, and service exposure are clearly defined and documented.