{ "schemaVersion": "1.0", "item": { "slug": "firewall", "name": "Firewall", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/ivangdavila/firewall", "canonicalUrl": "https://clawhub.ai/ivangdavila/firewall", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/firewall", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=firewall", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "slug": "firewall", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-29T07:03:39.947Z", "expiresAt": "2026-05-06T07:03:39.947Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=firewall", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=firewall", "contentDisposition": "attachment; filename=\"firewall-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "firewall" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/firewall" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/firewall", "agentPageUrl": "https://openagent3.xyz/skills/firewall/agent", "manifestUrl": "https://openagent3.xyz/skills/firewall/agent.json", "briefUrl": "https://openagent3.xyz/skills/firewall/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Critical First Steps", "body": "Allow SSH/remote access before enabling any firewall — enabling first locks you out\nTest access in a second session before closing the first — verify the rule actually works\nKnow how to access provider console — it's the only way back if locked out" }, { "title": "Default Stance", "body": "Default deny all incoming traffic — only open what you explicitly need\nDefault allow outgoing traffic — most apps need to reach the internet\nEvery open port is attack surface — question each one before adding" }, { "title": "Essential Ports", "body": "SSH (22 or custom): Always needed for remote access — consider limiting to your IP only\nHTTP (80): Only if serving web traffic — also needed for Let's Encrypt HTTP challenge\nHTTPS (443): For production web services\nDon't open database ports (3306, 5432, 27017) to the internet — access via SSH tunnel or private network" }, { "title": "Provider Firewalls (Hetzner, DigitalOcean, AWS, etc.)", "body": "Provider firewall applies before traffic reaches your server — faster, less server load\nChanges usually apply immediately — no reload command needed\nStateful by default — allow inbound, responses automatically allowed outbound\nApply to server groups for consistency — easier than per-server rules\nProvider firewall + OS firewall = defense in depth — use both when possible" }, { "title": "IP Restrictions", "body": "Limit SSH to known IPs when possible — dramatically reduces attack surface\nYour home IP may change — use a VPN with static IP or update rules when it changes\nAllow IP ranges with CIDR notation — /32 is single IP, /24 is 256 IPs\nSome providers support dynamic DNS in rules — check before building complex solutions" }, { "title": "Common Services to Consider", "body": "VPN (WireGuard: 51820/UDP, OpenVPN: 1194) — allows secure access without exposing other ports\nMail (25, 465, 587) — only if running mail server\nDNS (53 TCP/UDP) — only if running DNS server\nMonitoring agents may need outbound access to specific IPs" }, { "title": "Docker Warning", "body": "Docker bypasses most OS firewalls by default — containers expose ports regardless of UFW/iptables\nSolution: bind containers to localhost only and use reverse proxy for public access\nOr configure Docker to respect firewall rules — requires additional setup\nProvider-level firewalls still work — they block before traffic reaches Docker" }, { "title": "IPv6", "body": "Firewalls often have separate IPv4 and IPv6 rules — configure both\nProvider firewalls may handle both together — check their documentation\nAttackers probe IPv6 when IPv4 is locked down — don't neglect it" }, { "title": "Debugging", "body": "Test from outside your network — rules may look correct but not work\nProvider dashboards often show blocked traffic logs\n\"Connection refused\" = port closed properly; \"Connection timeout\" = firewall dropping silently\nOnline port scanners verify what's actually open from the internet" }, { "title": "Common Mistakes", "body": "Opening ports \"temporarily\" and forgetting to close them\nOpening 80/443 when no web server runs — unnecessary exposure\nForgetting UDP for services that need it — DNS, VPN, game servers\nAssuming firewall is active — verify it's actually running/applied\nOnly configuring IPv4 — leaving IPv6 wide open\nTrusting \"security through obscurity\" — non-standard ports slow attackers, don't stop them" } ], "body": "Firewall Rules\nCritical First Steps\nAllow SSH/remote access before enabling any firewall — enabling first locks you out\nTest access in a second session before closing the first — verify the rule actually works\nKnow how to access provider console — it's the only way back if locked out\nDefault Stance\nDefault deny all incoming traffic — only open what you explicitly need\nDefault allow outgoing traffic — most apps need to reach the internet\nEvery open port is attack surface — question each one before adding\nEssential Ports\nSSH (22 or custom): Always needed for remote access — consider limiting to your IP only\nHTTP (80): Only if serving web traffic — also needed for Let's Encrypt HTTP challenge\nHTTPS (443): For production web services\nDon't open database ports (3306, 5432, 27017) to the internet — access via SSH tunnel or private network\nProvider Firewalls (Hetzner, DigitalOcean, AWS, etc.)\nProvider firewall applies before traffic reaches your server — faster, less server load\nChanges usually apply immediately — no reload command needed\nStateful by default — allow inbound, responses automatically allowed outbound\nApply to server groups for consistency — easier than per-server rules\nProvider firewall + OS firewall = defense in depth — use both when possible\nIP Restrictions\nLimit SSH to known IPs when possible — dramatically reduces attack surface\nYour home IP may change — use a VPN with static IP or update rules when it changes\nAllow IP ranges with CIDR notation — /32 is single IP, /24 is 256 IPs\nSome providers support dynamic DNS in rules — check before building complex solutions\nCommon Services to Consider\nVPN (WireGuard: 51820/UDP, OpenVPN: 1194) — allows secure access without exposing other ports\nMail (25, 465, 587) — only if running mail server\nDNS (53 TCP/UDP) — only if running DNS server\nMonitoring agents may need outbound access to specific IPs\nDocker Warning\nDocker bypasses most OS firewalls by default — containers expose ports regardless of UFW/iptables\nSolution: bind containers to localhost only and use reverse proxy for public access\nOr configure Docker to respect firewall rules — requires additional setup\nProvider-level firewalls still work — they block before traffic reaches Docker\nIPv6\nFirewalls often have separate IPv4 and IPv6 rules — configure both\nProvider firewalls may handle both together — check their documentation\nAttackers probe IPv6 when IPv4 is locked down — don't neglect it\nDebugging\nTest from outside your network — rules may look correct but not work\nProvider dashboards often show blocked traffic logs\n\"Connection refused\" = port closed properly; \"Connection timeout\" = firewall dropping silently\nOnline port scanners verify what's actually open from the internet\nCommon Mistakes\nOpening ports \"temporarily\" and forgetting to close them\nOpening 80/443 when no web server runs — unnecessary exposure\nForgetting UDP for services that need it — DNS, VPN, game servers\nAssuming firewall is active — verify it's actually running/applied\nOnly configuring IPv4 — leaving IPv6 wide open\nTrusting \"security through obscurity\" — non-standard ports slow attackers, don't stop them" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/ivangdavila/firewall", "publisherUrl": "https://clawhub.ai/ivangdavila/firewall", "owner": "ivangdavila", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/firewall", "downloadUrl": "https://openagent3.xyz/downloads/firewall", "agentUrl": "https://openagent3.xyz/skills/firewall/agent", "manifestUrl": "https://openagent3.xyz/skills/firewall/agent.json", "briefUrl": "https://openagent3.xyz/skills/firewall/agent.md" } }