ClawHub Skills Lib

Firewall — AI Agent Skill | Install, Stats & Docs | ClawHub Skills Lib

🔐 Security & Audit

Firewallv1.0.0

firewall

ivangdavila

Configure firewalls on servers and cloud providers with security best practices.

latest

Download Package View on ClawHub

Installs (all time)

2

Installs (current)

2

Downloads

663

Stars

4

CreatedFeb 10, 2026

UpdatedFeb 25, 2026

Install & Quick Start

Install via ClawdBot CLI:

clawdbot install ivangdavila/firewall

Skill Package1 files

📋SKILL.mdmarkdown

Firewall Rules

Critical First Steps

Allow SSH/remote access before enabling any firewall — enabling first locks you out
Test access in a second session before closing the first — verify the rule actually works
Know how to access provider console — it's the only way back if locked out

Default Stance

Default deny all incoming traffic — only open what you explicitly need
Default allow outgoing traffic — most apps need to reach the internet
Every open port is attack surface — question each one before adding

Essential Ports

SSH (22 or custom): Always needed for remote access — consider limiting to your IP only
HTTP (80): Only if serving web traffic — also needed for Let's Encrypt HTTP challenge
HTTPS (443): For production web services
Don't open database ports (3306, 5432, 27017) to the internet — access via SSH tunnel or private network

Provider Firewalls (Hetzner, DigitalOcean, AWS, etc.)

Provider firewall applies before traffic reaches your server — faster, less server load
Changes usually apply immediately — no reload command needed
Stateful by default — allow inbound, responses automatically allowed outbound
Apply to server groups for consistency — easier than per-server rules
Provider firewall + OS firewall = defense in depth — use both when possible

IP Restrictions

Limit SSH to known IPs when possible — dramatically reduces attack surface
Your home IP may change — use a VPN with static IP or update rules when it changes
Allow IP ranges with CIDR notation — /32 is single IP, /24 is 256 IPs
Some providers support dynamic DNS in rules — check before building complex solutions

Common Services to Consider

VPN (WireGuard: 51820/UDP, OpenVPN: 1194) — allows secure access without exposing other ports
Mail (25, 465, 587) — only if running mail server
DNS (53 TCP/UDP) — only if running DNS server
Monitoring agents may need outbound access to specific IPs

Docker Warning

Docker bypasses most OS firewalls by default — containers expose ports regardless of UFW/iptables
Solution: bind containers to localhost only and use reverse proxy for public access
Or configure Docker to respect firewall rules — requires additional setup
Provider-level firewalls still work — they block before traffic reaches Docker

IPv6

Firewalls often have separate IPv4 and IPv6 rules — configure both
Provider firewalls may handle both together — check their documentation
Attackers probe IPv6 when IPv4 is locked down — don't neglect it

Debugging

Test from outside your network — rules may look correct but not work
Provider dashboards often show blocked traffic logs
"Connection refused" = port closed properly; "Connection timeout" = firewall dropping silently
Online port scanners verify what's actually open from the internet

Common Mistakes

Opening ports "temporarily" and forgetting to close them
Opening 80/443 when no web server runs — unnecessary exposure
Forgetting UDP for services that need it — DNS, VPN, game servers
Assuming firewall is active — verify it's actually running/applied
Only configuring IPv4 — leaving IPv6 wide open
Trusting "security through obscurity" — non-standard ports slow attackers, don't stop them

🤖

AI Usage Analysis

Generated Mar 1, 2026

System AdministratorsDevOps EngineersSecurity AnalystsCloud Architectsintermediate

💡 Application Scenarios

Securing a Cloud-Based Web ApplicationTechnology/SaaS

A startup deploys a web app on AWS EC2 instances, requiring HTTPS (443) for production traffic and SSH (22) for admin access. They must configure AWS Security Groups to allow inbound HTTPS from the internet and restrict SSH to their office IP, while blocking all other ports to minimize attack surface.

Hardening a Database Server in a Private NetworkFinance

A financial services firm runs a PostgreSQL database on a Hetzner server for internal analytics. They need to ensure the database port (5432) is not exposed to the internet, using SSH tunnels or private network access only, and apply both provider and OS firewalls for defense in depth.

Setting Up a VPN for Remote Team AccessConsulting/Remote Work

A distributed company uses WireGuard VPN on a DigitalOcean droplet to provide secure remote access to internal services. They must open UDP port 51820 for VPN traffic, limit SSH to VPN IPs, and configure IPv6 rules alongside IPv4 to prevent security gaps.

Deploying a Dockerized Application with Firewall ProtectionE-commerce

An e-commerce platform runs Docker containers on a Linux server for a web app, but Docker bypasses OS firewalls by default. They need to bind containers to localhost and use a reverse proxy for public access, while relying on provider-level firewalls to block unwanted traffic before it reaches Docker.

Auditing and Remediating Firewall Rules for ComplianceHealthcare

A healthcare organization must audit their firewall configurations on Windows and Linux servers to meet HIPAA compliance. They need to close unnecessary ports like 80/443 if no web server runs, ensure SSH is IP-restricted, and use online port scanners to verify only essential ports are open from the internet.

💼 Business Models

Managed Security Service Provider (MSSP)Recurring monthly fees per client, typically $100-$500/month

Offers firewall configuration and monitoring as a subscription service for small to medium businesses. Includes regular audits, rule updates for changing IPs, and 24/7 support to prevent lockouts and breaches, leveraging provider dashboards for blocked traffic logs.

Cloud Infrastructure ConsultingProject-based pricing, ranging from $1,000 to $10,000 per engagement

Provides one-time or project-based services to set up and optimize firewalls on cloud platforms like AWS, DigitalOcean, or Hetzner. Focuses on best practices such as default deny rules, IP restrictions, and integrating with Docker or VPN setups for specific client needs.

Security Training and WorkshopsPer-attendee fees or flat rates, e.g., $200/person or $5,000/workshop

Conducts hands-on workshops for IT teams on firewall configuration, covering critical steps like testing access before enabling rules and avoiding common mistakes. Targets industries with compliance requirements, using real-world scenarios to teach defense in depth.

💬 Integration Tip

Integrate this skill with monitoring tools to track firewall logs and alert on unauthorized access attempts, and combine it with VPN setup skills for secure remote management without exposing SSH to the internet.