configuring-firewalls

This skill provides a comprehensive framework for network security hardening across diverse infrastructure environments. It is designed for DevOps engineers, system administrators, and infrastructure architects who need to manage traffic flow, secure server access, and implement network segmentation. By leveraging standardized patterns for host-based firewalls like UFW, nftables, and legacy iptables, as well as cloud-native controls like AWS Security Groups, GCP VPC firewall rules, and Azure Network Security Groups, this skill ensures consistent security posture. It helps prevent common misconfigurations—such as accidental SSH lockouts—by emphasizing safety checklists, stateful vs. stateless packet filtering, and defense-in-depth strategies. Users can expect guidance on setting up bastion hosts, configuring ingress/egress rules for web servers and databases, and transitioning between firewall technologies. Whether performing initial server hardening, securing containerized workloads via Kubernetes NetworkPolicies, or troubleshooting connectivity issues, this skill offers actionable command snippets and architecture decision logic to keep infrastructure secure and resilient. It bridges the gap between low-level kernel packet filtering and high-level cloud networking policies.

• Support for host-based firewalls including UFW for Ubuntu/Debian, firewalld for RHEL/CentOS, and modern nftables for high-performance filtering.

• Cloud provider integration for AWS Security Groups, NACLs, GCP VPC rules, and Azure NSGs with Terraform and CLI examples.

• Kubernetes security coverage including pod-to-pod communication management using CNI plugins like Calico or Cilium.

• Standardized security patterns for web servers, API gateways, database clusters, and jump boxes (bastion hosts).

• Safety-first workflow: Includes critical lockout prevention checks and verification methods using tools like nmap.

• Transition path support for legacy iptables to modern nftables and performance optimization strategies.

• Always prioritize the inclusion of SSH/Management port access before applying default-deny policies to avoid total system lockout.

• Distinguish clearly between stateful firewall mechanisms (Security Groups) and stateless controls (NACLs) to avoid traffic drops.

• Use the provided safety checklist to verify connectivity externally after configuration changes.

• Integrate these rules into infrastructure-as-code (IaC) pipelines like Terraform for auditable and version-controlled network security.

• Inputs include server OS type, cloud provider, service ports, and source IP range; outputs include precise CLI commands, config files, or Terraform resource blocks.