From 22d17d39f9522683bf37278c3f22d8d2d8c47dab Mon Sep 17 00:00:00 2001
From: Kenji M <kenji@kenjim.com>
Date: Fri, 19 Jun 2026 15:08:17 +0000
Subject: [PATCH] zet: document UFW rules required for nginx on LAN

Ports 80 and 443 must be open in UFW so LAN clients using split DNS
can reach nginx directly without going through pfSense NAT.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 zet.home.arpa/nginx/README.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/zet.home.arpa/nginx/README.md b/zet.home.arpa/nginx/README.md
index 0e612b4..40bf44a 100644
--- a/zet.home.arpa/nginx/README.md
+++ b/zet.home.arpa/nginx/README.md
@@ -63,6 +63,17 @@ sudo systemctl restart nginx     # full restart
 sudo nginx -t                    # test config syntax before applying
 ```
 
+## UFW Firewall Rules
+
+Ports 80 and 443 must be open in UFW on zet for LAN clients to reach nginx directly (split DNS bypasses pfSense NAT):
+
+```bash
+sudo ufw allow 80/tcp comment 'nginx HTTP'
+sudo ufw allow 443/tcp comment 'nginx HTTPS'
+```
+
+Current UFW status also allows: Samba, NFS (LAN only), SSH (22), Squid (3128), Gitea (3000).
+
 ## pfSense NAT Rules
 
 | WAN Port | Redirect to | Port | Description |