- Home
- Skills
- Ancoleman
- Ai Design Components
- Configuring Firewalls
configuring-firewalls_skill
- Python
291
GitHub Stars
2
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill ancoleman/ai-design-components --skill configuring-firewalls- outputs.yaml9.2 KB
- SKILL.md13.6 KB
Overview
This skill shows engineers how to configure host-based firewalls (iptables, nftables, UFW) and cloud security controls (AWS Security Groups, NACLs, GCP, Azure NSGs) with practical, safe rules for web servers, databases, and bastion hosts. It focuses on concrete patterns, safety checks to avoid lockouts, and defense-in-depth recommendations across host, cloud, and container environments. Examples include ready-to-use UFW snippets, nftables rulesets, and Terraform Security Group templates.
How this skill works
The skill inspects the target environment and recommends the appropriate tool (UFW/firewalld/nftables/iptables or cloud provider firewall). It provides step-by-step rule examples, safety checklist items (always allow SSH, test rules, logging), and deployment commands. For cloud resources, it offers Security Group/NACL patterns and Terraform snippets; for containers, it points to Kubernetes NetworkPolicy templates and CNI requirements.
When to use it
- Initial server hardening during provisioning
- Exposing a new service (web, API, or database) to the network
- Creating a bastion/jump host and centralizing SSH access
- Implementing network segmentation or DMZs for multi-tier apps
- Migrating host firewall stacks (iptables → nftables) or adding egress filtering
Best practices
- Start with default deny and explicitly allow required ports/IPs
- Always allow SSH (or ensure console access) before enabling rules
- Use principle of least privilege: avoid 0.0.0.0/0 on sensitive ports
- Enable and monitor firewall logging; keep rules in version control
- Avoid running conflicting tools (don’t run iptables and nftables simultaneously)
- Test rules in staging and verify externally with nmap or service checks
Example use cases
- Basic web server: UFW rules allowing HTTP/HTTPS and SSH only from office or bastion
- Database server: restrict port 5432 to app-tier security group or private subnet
- Bastion host: hardened jump box allowing SSH from corporate IPs, logging enabled, rate-limited SSH
- Egress filtering: block or allow outbound hosts/ports to reduce data exfiltration risk
- Kubernetes: NetworkPolicies to enforce pod-to-pod isolation when using Calico or Cilium
FAQ
Always add an allow rule for SSH (or enable a console/session manager) before enabling the firewall; test rules in a staging instance and ensure cloud console access exists.
When should I use Security Groups vs NACLs in AWS?
Use Security Groups (stateful) for instance-level allow rules and NACLs (stateless) at the subnet level for defense-in-depth or explicit deny needs; use both for layered protection.