debug-firewall

The debug-firewall skill is an essential operational tool for developers and security engineers working with the Agentic Workflow Firewall (AWF). It provides a systematic framework for inspecting, monitoring, and resolving connectivity issues when running commands within AWF-hardened Docker environments. By leveraging this skill, users can diagnose why specific network requests are blocked, verify the integrity of the Squid proxy traffic routing, and ensure that iptables rules are correctly enforced across the awf-squid and awf-agent containers. This tool is particularly useful for verifying domain allowlists, troubleshooting DNS resolution failures, and validating the correct isolation of sensitive API credentials via the proxy sidecar. It bridges the gap between high-level architectural policies and low-level system execution, providing the observability required to maintain secure, network-isolated agentic workflows.

• Real-time inspection of container states and lifecycle events for awf-squid and awf-agent.

• Direct log analysis capabilities, including filtering Squid access logs for TCP_DENIED responses to identify blocked domain patterns.

• Verification of host-level and container-level iptables rules, including NAT and filtering chains that govern traffic flow.

• Network connectivity testing using diagnostic utilities like nc (netcat) within the restricted container environment.

• Automated discovery of preserved log locations across different execution modes, supporting post-mortem debugging even after container cleanup.

• Deep insights into proxy configuration, environment variable injection, and credential isolation strategies.

• Use this skill to investigate unexpected request denials by inspecting the third column of the Squid access logs for blocked Host headers.

• Utilize the debug mode workflow (awf --keep-containers) to pause execution and manually probe the network stack before finalizing your agentic scripts.

• Monitor kernel-level firewall events through dmesg to detect silent packet drops or DNS resolution issues that occur outside the proxy's visibility.

• This tool requires root or sudo privileges for accessing iptables, Docker daemon operations, and kernel logs; ensure your environment is configured for authorized administrative access.

• Intended for use in Ubuntu 22.04+ or compatible Linux distributions with Docker 20.10+ and Docker Compose v2.