OpenClaw LaunchOpenClaw Launch
🧱

Firewall Rules Builder

Verified

by Community

Creates firewall rule sets for iptables, ufw, nftables, and cloud security groups with defense-in-depth principles and common application server configurations.

systemfirewallsecuritynetworkingiptablesufw

Firewall Rules Builder

Configure firewall rules for secure network access control. Creates rule sets for various firewall tools with defense-in-depth principles and application-specific configurations.

Usage

Describe your server's role, required services, and who needs access. The builder creates a complete firewall rule set with explanations for each rule and verification commands.

Parameters

  • Tool: ufw, iptables, nftables, firewalld, or Cloud (AWS SG, Azure NSG)
  • Server role: Web server, Database, Application server, or Multi-role
  • Access: Public-facing, Internal only, or Mixed
  • Current state: No firewall, Permissive rules, or Hardening existing rules

Examples

  1. Web Server Rules: UFW configuration allowing SSH (from admin IPs only), HTTP/HTTPS (public), and blocking everything else — with rate limiting on SSH and logging enabled.
  1. Database Server: Restrict PostgreSQL (5432) to application server IPs only, SSH from bastion host only, and deny all other inbound with specific outbound rules for updates.
  1. Docker Host Firewall: Configure iptables rules that work correctly with Docker's network — addressing the Docker-bypasses-ufw problem with DOCKER-USER chain rules.
  1. Cloud Security Groups: Design AWS Security Group architecture — web tier, app tier, and data tier groups with minimal cross-tier access and no public database access.

Guidelines

  • Default policy is deny-all inbound, allow-all outbound (then add specific allows)
  • Rules follow least-privilege: only open ports that are needed, only to IPs that need them
  • SSH access is restricted to known IPs or VPN, never open to 0.0.0.0/0 in production
  • Rate limiting prevents brute-force attacks on exposed services (SSH, login endpoints)
  • Logging is enabled for denied packets to detect scanning and attack attempts
  • Rules are ordered correctly — first match wins in iptables, most specific first
  • IPv6 rules are configured alongside IPv4 (often forgotten, creating bypass opportunities)
  • Docker and container networking interactions with host firewalls are addressed specifically
  • Verification commands confirm rules are active and blocking as intended
  • Backup of working firewall rules is saved before changes, with rollback procedure documented

More System Skills

🖥️
System Info

Check system resources — disk space, memory usage, CPU, and uptime.

Cron Helper

Build, explain, and test cron schedule expressions.

🔎
Log Analyzer

Parse, search, and analyze log files for errors and patterns.

📦
Clawdhub

Skill manager — search, install, update, and publish skills.