# Send Firewall to your agent
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
## Fast path
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
## Suggested prompts
### New install

```text
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
```
### Upgrade existing

```text
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
```
## Machine-readable fields
```json
{
  "schemaVersion": "1.0",
  "item": {
    "slug": "firewall",
    "name": "Firewall",
    "source": "tencent",
    "type": "skill",
    "category": "安全合规",
    "sourceUrl": "https://clawhub.ai/ivangdavila/firewall",
    "canonicalUrl": "https://clawhub.ai/ivangdavila/firewall",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadUrl": "/downloads/firewall",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=firewall",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "packageFormat": "ZIP package",
    "primaryDoc": "SKILL.md",
    "includedAssets": [
      "SKILL.md"
    ],
    "downloadMode": "redirect",
    "sourceHealth": {
      "source": "tencent",
      "slug": "firewall",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-04-29T07:03:39.947Z",
      "expiresAt": "2026-05-06T07:03:39.947Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=firewall",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=firewall",
        "contentDisposition": "attachment; filename=\"firewall-1.0.0.zip\"",
        "redirectLocation": null,
        "bodySnippet": null,
        "slug": "firewall"
      },
      "scope": "item",
      "summary": "Item download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this item.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/firewall"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    }
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/firewall",
    "downloadUrl": "https://openagent3.xyz/downloads/firewall",
    "agentUrl": "https://openagent3.xyz/skills/firewall/agent",
    "manifestUrl": "https://openagent3.xyz/skills/firewall/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/firewall/agent.md"
  }
}
```
## Documentation

### Critical First Steps

Allow SSH/remote access before enabling any firewall — enabling first locks you out
Test access in a second session before closing the first — verify the rule actually works
Know how to access provider console — it's the only way back if locked out

### Default Stance

Default deny all incoming traffic — only open what you explicitly need
Default allow outgoing traffic — most apps need to reach the internet
Every open port is attack surface — question each one before adding

### Essential Ports

SSH (22 or custom): Always needed for remote access — consider limiting to your IP only
HTTP (80): Only if serving web traffic — also needed for Let's Encrypt HTTP challenge
HTTPS (443): For production web services
Don't open database ports (3306, 5432, 27017) to the internet — access via SSH tunnel or private network

### Provider Firewalls (Hetzner, DigitalOcean, AWS, etc.)

Provider firewall applies before traffic reaches your server — faster, less server load
Changes usually apply immediately — no reload command needed
Stateful by default — allow inbound, responses automatically allowed outbound
Apply to server groups for consistency — easier than per-server rules
Provider firewall + OS firewall = defense in depth — use both when possible

### IP Restrictions

Limit SSH to known IPs when possible — dramatically reduces attack surface
Your home IP may change — use a VPN with static IP or update rules when it changes
Allow IP ranges with CIDR notation — /32 is single IP, /24 is 256 IPs
Some providers support dynamic DNS in rules — check before building complex solutions

### Common Services to Consider

VPN (WireGuard: 51820/UDP, OpenVPN: 1194) — allows secure access without exposing other ports
Mail (25, 465, 587) — only if running mail server
DNS (53 TCP/UDP) — only if running DNS server
Monitoring agents may need outbound access to specific IPs

### Docker Warning

Docker bypasses most OS firewalls by default — containers expose ports regardless of UFW/iptables
Solution: bind containers to localhost only and use reverse proxy for public access
Or configure Docker to respect firewall rules — requires additional setup
Provider-level firewalls still work — they block before traffic reaches Docker

### IPv6

Firewalls often have separate IPv4 and IPv6 rules — configure both
Provider firewalls may handle both together — check their documentation
Attackers probe IPv6 when IPv4 is locked down — don't neglect it

### Debugging

Test from outside your network — rules may look correct but not work
Provider dashboards often show blocked traffic logs
"Connection refused" = port closed properly; "Connection timeout" = firewall dropping silently
Online port scanners verify what's actually open from the internet

### Common Mistakes

Opening ports "temporarily" and forgetting to close them
Opening 80/443 when no web server runs — unnecessary exposure
Forgetting UDP for services that need it — DNS, VPN, game servers
Assuming firewall is active — verify it's actually running/applied
Only configuring IPv4 — leaving IPv6 wide open
Trusting "security through obscurity" — non-standard ports slow attackers, don't stop them
## Trust
- Source: tencent
- Verification: Indexed source record
- Publisher: ivangdavila
- Version: 1.0.0
## Source health
- Status: healthy
- Item download looks usable.
- Yavira can redirect you to the upstream package for this item.
- Health scope: item
- Reason: direct_download_ok
- Checked at: 2026-04-29T07:03:39.947Z
- Expires at: 2026-05-06T07:03:39.947Z
- Recommended action: Download for OpenClaw
## Links
- [Detail page](https://openagent3.xyz/skills/firewall)
- [Send to Agent page](https://openagent3.xyz/skills/firewall/agent)
- [JSON manifest](https://openagent3.xyz/skills/firewall/agent.json)
- [Markdown brief](https://openagent3.xyz/skills/firewall/agent.md)
- [Download page](https://openagent3.xyz/downloads/firewall)