diff --git a/docs/config/firewall.mdx b/docs/config/firewall.mdx
index e3880c67..00c7aeeb 100644
--- a/docs/config/firewall.mdx
+++ b/docs/config/firewall.mdx
@@ -62,8 +62,8 @@ The possible fields of a firewall rule are:
- `cidr`: a CIDR, `0.0.0.0/0` is any. This restricts which Nebula IP addresses the rule allows.
- `local_cidr`: a local CIDR, `0.0.0.0/0` is any. This restricts which destination IP addresses, when using
- unsafe_routes, the rule allows. If unset, the rule will allow access to the specified ports on both the node itself as
- well as any IP addresses it routes to.
+ unsafe_routes, the rule allows. If unset, the rule will only allow access to the port on the local node, not the
+ unsafe_routes it serves, unless `default_local_cidr_any` is true.
:::note
@@ -87,7 +87,7 @@ firewall:
outbound_action: drop
inbound_action: drop
- default_local_cidr_any: false # false will become the default in Nebula v1.10.0+
+ default_local_cidr_any: false # false since v1.10.0, see notes below
conntrack:
tcp_timeout: 12m
@@ -138,14 +138,14 @@ enabling the built-in Nebula SSH server, you may wish to grant access over the N
## firewall.default_local_cidr_any
-Default: True Reloadable
+Default: False Reloadable
-This setting was introduced in Nebula v1.9.0 for backwards compatibility purposes. The default will be changed to
-`false` in Nebula v1.10.0 and the config option will be deprecated.
+This setting was introduced in Nebula v1.9.0 set to `true` for backwards compatibility purposes. The default was changed
+to `false` in Nebula v1.10.0 and the config option is now deprecated.
-When set to `true`, any firewall rules which do not explicitly set `local_cidr` will be interpreted as if they were set
-to `any`. In other words, firewall rules which do not explicitly configure `local_cidr` will apply both to ports on the
-local machine as well as ports on any hosts accessible via [unsafe_routes](/docs/config/tun/#tununsafe_routes).
+When set to `true`, any firewall rules which do not explicitly set `local_cidr` are interpreted as if they were set to
+`0.0.0.0/0`. In other words, firewall rules which do not explicitly configure `local_cidr` will apply both to ports on
+the local machine as well as ports on any hosts accessible via [unsafe_routes](/docs/config/tun/#tununsafe_routes).
When set to `false`, firewall rules which do not explicitly set `local_cidr` will only apply to the local host. To
permit access to machines accessible via unsafe_routes, define a firewall rule which explicitly references those routes
diff --git a/docs/guides/unsafe_routes/index.mdx b/docs/guides/unsafe_routes/index.mdx
index 14d77873..f5d57b2b 100644
--- a/docs/guides/unsafe_routes/index.mdx
+++ b/docs/guides/unsafe_routes/index.mdx
@@ -141,10 +141,11 @@ file paths as the old key and cert you won't need to make any changes to your Ne
### Step 3. Configure Nebula firewall on Linux host (LAN)
In addition to adding a CIDR to the `subnets` field of our new cert, you also need to add inbound firewall rules to the
-Linux host in this example for any port that you want to access _through this host._
+Linux host in this example for any ports that you want to access _through this host._
For example, if you want to access a printer on the LAN, you will need to add a rule to allow TCP port 631. Edit the
-Linux host's Nebula configuration file (commonly located at `/etc/nebula/config.yml`).
+Linux host's Nebula configuration file (commonly located at `/etc/nebula/config.yml`). Since v1.10, you must set
+`local_cidr` in order for the rule to apply to unsafe_routes.
```yaml
firewall:
@@ -152,6 +153,7 @@ firewall:
- port: 631
host: any
proto: tcp
+ local_cidr: 192.168.86.1/32
```
You may need to add additional ports depending on your printer. The easiest way to make sure you can fully access any
@@ -164,6 +166,7 @@ firewall:
- port: any
host: any
proto: any
+ local_cidr: 192.168.86.0/24 # note that 0.0.0.0/0 would apply to the router node as well
outbound:
- host: any
port: any