Skip to main content
ClaudeWave
Skill374 repo starsupdated 6mo ago

configuring-firewalls

This Claude Code skill guides engineers through configuring firewalls across host-based systems (iptables, nftables, UFW), cloud platforms (AWS, GCP, Azure), and Kubernetes environments with practical rule examples and safety patterns. Use it when setting up initial server security, exposing new services, implementing network segmentation, creating bastion hosts, or troubleshooting connectivity issues while preventing lockouts and misconfigurations.

View sourceRepository: ai-design-components
Install in Claude Code
Copy
git clone --depth 1 https://github.com/ancoleman/ai-design-components /tmp/configuring-firewalls && cp -r /tmp/configuring-firewalls/skills/configuring-firewalls ~/.claude/skills/configuring-firewalls
Then start a new Claude Code session; the skill loads automatically.
Definition

SKILL.md

# Configuring Firewalls

## Purpose

Guide engineers through configuring firewalls across host-based (iptables, nftables, UFW), cloud-based (AWS Security Groups, NACLs), and container-based (Kubernetes NetworkPolicies) environments with practical rule examples and safety patterns to prevent lockouts and security misconfigurations.

## When to Use This Skill

**Trigger Phrases:**
- "Configure firewall for [server/service]"
- "Set up security groups for [AWS resource]"
- "Allow port [X] through firewall"
- "Block IP address [X.X.X.X]"
- "Set up UFW on Ubuntu server"
- "Create iptables/nftables rules"
- "Configure bastion host firewall"
- "Implement egress filtering"

**Common Scenarios:**
- Initial server setup and hardening
- Exposing a new service (web server, API, database)
- Implementing network segmentation
- Creating bastion host or jump box
- Migrating from iptables to nftables
- Configuring cloud security groups
- Troubleshooting connectivity issues

## Decision Framework: Which Firewall Tool?

### Cloud Environments

**AWS:**
- Instance-level control → **Security Groups** (stateful, allow-only rules)
- Subnet-level enforcement → **Network ACLs** (stateless, allow + deny rules)
- Use both for defense-in-depth

**GCP:**
- Use **VPC Firewall Rules** (stateful, priority-based)

**Azure:**
- Use **Network Security Groups** (NSGs) (stateful, priority-based)

### Host-Based Linux Firewalls

**Ubuntu/Debian + Simplicity:**
- Use **UFW** (Uncomplicated Firewall) - recommended for most users
- Front-end for iptables/nftables with simplified syntax

**RHEL/CentOS/Fedora:**
- Use **firewalld** (default on Red Hat ecosystem)
- Zone-based configuration with dynamic updates

**Modern Distro + Advanced Control:**
- Use **nftables** (best performance, modern standard)
- O(log n) performance vs iptables O(n)
- Unified IPv4/IPv6/NAT syntax

**Legacy Systems:**
- Use **iptables** (migrate to nftables when feasible)
- Required for older kernels (< 4.14)

### Kubernetes/Containers

- Use **NetworkPolicies** (requires CNI plugin: Calico, Cilium, Weave)
- See references/k8s-networkpolicies.md

### Stateful vs Stateless

**Stateful (recommended for most cases):**
- Automatically allows return traffic
- Simpler configuration
- Examples: Security Groups, UFW, nftables default

**Stateless (specialized use):**
- Must explicitly allow both directions
- Fine-grained control, less state tracking
- Examples: Network ACLs, custom nftables rules

## Quick Start Examples

### UFW (Ubuntu/Debian)

```bash
# 1. Set defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing

# 2. CRITICAL: Allow SSH before enabling (prevent lockout)
sudo ufw allow ssh
sudo ufw limit ssh  # Rate-limit to prevent brute force

# 3. Allow web traffic
sudo ufw allow http    # Port 80
sudo ufw allow https   # Port 443

# 4. Allow from specific IP (e.g., database access)
sudo ufw allow from 192.168.1.100 to any port 5432

# 5. Enable firewall
sudo ufw enable

# 6. Verify rules
sudo ufw status verbose
```

For complete UFW patterns, see references/ufw-patterns.md

### nftables (Modern Linux)

```nftables
#!/usr/sbin/nft -f
# /etc/nftables.conf

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        # Accept loopback
        iif "lo" accept

        # Accept established connections (stateful)
        ct state established,related accept

        # Drop invalid packets
        ct state invalid drop

        # Allow SSH
        tcp dport 22 accept

        # Allow HTTP/HTTPS
        tcp dport { 80, 443 } accept

        # Log dropped packets
        log prefix "nftables-drop: " drop
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}
```

Apply: `sudo nft -f /etc/nftables.conf`
Enable on boot: `sudo systemctl enable nftables`

For advanced patterns (sets, maps), see references/nftables-patterns.md

### AWS Security Groups (Terraform)

```hcl
# Web server security group
resource "aws_security_group" "web" {
  name        = "web-server-sg"
  description = "Security group for web servers"
  vpc_id      = aws_vpc.main.id

  # Allow HTTP/HTTPS from anywhere
  ingress {
    description = "HTTPS from anywhere"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  # Allow SSH from bastion only
  ingress {
    description     = "SSH from bastion"
    from_port       = 22
    to_port         = 22
    protocol        = "tcp"
    security_groups = [aws_security_group.bastion.id]
  }

  # Allow all outbound
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "web-server-sg"
  }
}
```

For Security Groups vs NACLs guide, see references/aws-security-groups.md

## Safety Checklist

Before enabling any firewall:

- [ ] **Always allow SSH before enabling** (prevent lockout)
- [ ] Test rules before enabling (dry-run when possible)
- [ ] Enable logging for debugging
- [ ] Document rules in version control (Git)
- [ ] Verify externally with nmap: `nmap -Pn <server-ip>`
- [ ] Have console access (cloud) or physical access (on-prem)
- [ ] Start with default deny, explicitly allow required traffic
- [ ] Use rate limiting for SSH (`ufw limit ssh`)

## Common Patterns

### Pattern 1: Basic Web Server

**Requirements:**
- Allow HTTP (80) and HTTPS (443) from anywhere
- Allow SSH from specific IP or bastion only
- Default deny all other inbound traffic

**UFW:**
```bash
sudo ufw default deny incoming
sudo ufw allow from 203.0.113.0/24 to any port 22  # Office IP
sudo ufw allow http
sudo ufw allow https
sudo ufw enable
```

**nftables:**
See references/nftables-patterns.md for complete example

**AWS Security Group:**
See references/aws-security-groups.md for Terraform module

### Pattern 2: Database Server (Private)

**Requirements:**
- Allow
More from this repository
administering-linuxSkill

Manage Linux systems covering systemd services, process management, filesystems, networking, performance tuning, and troubleshooting. Use when deploying applications, optimizing server performance, diagnosing production issues, or managing users and security on Linux servers.

ai-data-engineeringSkill

Data pipelines, feature stores, and embedding generation for AI/ML systems. Use when building RAG pipelines, ML feature serving, or data transformations. Covers feature stores (Feast, Tecton), embedding pipelines, chunking strategies, orchestration (Dagster, Prefect, Airflow), dbt transformations, data versioning (LakeFS), and experiment tracking (MLflow, W&B).

architecting-dataSkill

Strategic guidance for designing modern data platforms, covering storage paradigms (data lake, warehouse, lakehouse), modeling approaches (dimensional, normalized, data vault, wide tables), data mesh principles, and medallion architecture patterns. Use when architecting data platforms, choosing between centralized vs decentralized patterns, selecting table formats (Iceberg, Delta Lake), or designing data governance frameworks.

architecting-networksSkill

Design cloud network architectures with VPC patterns, subnet strategies, zero trust principles, and hybrid connectivity. Use when planning VPC topology, implementing multi-cloud networking, or establishing secure network segmentation for cloud workloads.

architecting-securitySkill

Design comprehensive security architectures using defense-in-depth, zero trust principles, threat modeling (STRIDE, PASTA), and control frameworks (NIST CSF, CIS Controls, ISO 27001). Use when designing security for new systems, auditing existing architectures, or establishing security governance programs.

assembling-componentsSkill

Assembles component outputs from AI Design Components skills into unified, production-ready component systems with validated token integration, proper import chains, and framework-specific scaffolding. Use as the capstone skill after running theming, layout, dashboard, data-viz, or feedback skills to wire components into working React/Next.js, Python, or Rust projects.

building-ai-chatSkill

Builds AI chat interfaces and conversational UI with streaming responses, context management, and multi-modal support. Use when creating ChatGPT-style interfaces, AI assistants, code copilots, or conversational agents. Handles streaming text, token limits, regeneration, feedback loops, tool usage visualization, and AI-specific error patterns. Provides battle-tested components from leading AI products with accessibility and performance built in.

building-ci-pipelinesSkill

Constructs secure, efficient CI/CD pipelines with supply chain security (SLSA), monorepo optimization, caching strategies, and parallelization patterns for GitHub Actions, GitLab CI, and Argo Workflows. Use when setting up automated testing, building, or deployment workflows.