Back to Details

configuring-firewalls

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Configuring Firewalls

防火墙配置指南

Purpose

目的

Guide engineers through configuring firewalls across host-based (iptables, nftables, UFW), cloud-based (AWS Security Groups, NACLs), and container-based (Kubernetes NetworkPolicies) environments with practical rule examples and safety patterns to prevent lockouts and security misconfigurations.
指导工程师在基于主机(iptables、nftables、UFW)、基于云(AWS安全组、NACL)和基于容器(Kubernetes NetworkPolicies)的环境中配置防火墙,提供实用规则示例和安全模式,以防止锁定和安全配置错误。

When to Use This Skill

何时使用此技能

Trigger Phrases:
  • "Configure firewall for [server/service]"
  • "Set up security groups for [AWS resource]"
  • "Allow port [X] through firewall"
  • "Block IP address [X.X.X.X]"
  • "Set up UFW on Ubuntu server"
  • "Create iptables/nftables rules"
  • "Configure bastion host firewall"
  • "Implement egress filtering"
Common Scenarios:
  • Initial server setup and hardening
  • Exposing a new service (web server, API, database)
  • Implementing network segmentation
  • Creating bastion host or jump box
  • Migrating from iptables to nftables
  • Configuring cloud security groups
  • Troubleshooting connectivity issues
触发场景:
  • "为[服务器/服务]配置防火墙"
  • "为[AWS资源]设置安全组"
  • "允许端口[X]通过防火墙"
  • "阻止IP地址[X.X.X.X]"
  • "在Ubuntu服务器上设置UFW"
  • "创建iptables/nftables规则"
  • "配置堡垒机防火墙"
  • "实施出站流量过滤"
常见场景:
  • 服务器初始设置与加固
  • 暴露新服务(Web服务器、API、数据库)
  • 实现网络分段
  • 创建堡垒机或跳转服务器
  • 从iptables迁移到nftables
  • 配置云安全组
  • 排查连接问题

Decision Framework: Which Firewall Tool?

决策框架:选择哪种防火墙工具?

Cloud Environments

云环境

AWS:
  • Instance-level control → Security Groups (stateful, allow-only rules)
  • Subnet-level enforcement → Network ACLs (stateless, allow + deny rules)
  • Use both for defense-in-depth
GCP:
  • Use VPC Firewall Rules (stateful, priority-based)
Azure:
  • Use Network Security Groups (NSGs) (stateful, priority-based)
AWS:
  • 实例级控制 → 安全组(有状态,仅允许规则)
  • 子网级强制管控 → 网络ACL(NACL)(无状态,允许+拒绝规则)
  • 结合使用以实现纵深防御
GCP:
  • 使用 VPC防火墙规则(有状态,基于优先级)
Azure:
  • 使用 网络安全组(NSG)(有状态,基于优先级)

Host-Based Linux Firewalls

基于主机的Linux防火墙

Ubuntu/Debian + Simplicity:
  • Use UFW (Uncomplicated Firewall) - recommended for most users
  • Front-end for iptables/nftables with simplified syntax
RHEL/CentOS/Fedora:
  • Use firewalld (default on Red Hat ecosystem)
  • Zone-based configuration with dynamic updates
Modern Distro + Advanced Control:
  • Use nftables (best performance, modern standard)
  • O(log n) performance vs iptables O(n)
  • Unified IPv4/IPv6/NAT syntax
Legacy Systems:
  • Use iptables (migrate to nftables when feasible)
  • Required for older kernels (< 4.14)
Ubuntu/Debian + 简易操作:
  • 使用 UFW(Uncomplicated Firewall) - 推荐大多数用户使用
  • iptables/nftables的前端工具,语法更简洁
RHEL/CentOS/Fedora:
  • 使用 firewalld(Red Hat生态系统默认工具)
  • 基于区域的配置,支持动态更新
现代发行版 + 高级控制:
  • 使用 nftables(性能最优,现代标准)
  • 性能为O(log n),优于iptables的O(n)
  • 统一IPv4/IPv6/NAT语法
遗留系统:
  • 使用 iptables(可行时迁移到nftables)
  • 旧内核(<4.14)必需

Kubernetes/Containers

Kubernetes/容器

  • Use NetworkPolicies (requires CNI plugin: Calico, Cilium, Weave)
  • See references/k8s-networkpolicies.md
  • 使用 NetworkPolicies(需要CNI插件:Calico、Cilium、Weave)
  • 详见references/k8s-networkpolicies.md

Stateful vs Stateless

有状态 vs 无状态

Stateful (recommended for most cases):
  • Automatically allows return traffic
  • Simpler configuration
  • Examples: Security Groups, UFW, nftables default
Stateless (specialized use):
  • Must explicitly allow both directions
  • Fine-grained control, less state tracking
  • Examples: Network ACLs, custom nftables rules
有状态(大多数场景推荐):
  • 自动允许返回流量
  • 配置更简单
  • 示例:安全组、UFW、默认nftables
无状态(特殊场景使用):
  • 必须显式允许双向流量
  • 细粒度控制,状态跟踪更少
  • 示例:网络ACL、自定义nftables规则

Quick Start Examples

快速入门示例

UFW (Ubuntu/Debian)

UFW(Ubuntu/Debian)

bash
undefined
bash
undefined

1. Set defaults

1. 设置默认规则

sudo ufw default deny incoming sudo ufw default allow outgoing
sudo ufw default deny incoming sudo ufw default allow outgoing

2. CRITICAL: Allow SSH before enabling (prevent lockout)

2. 关键操作:启用前先允许SSH(防止锁定)

sudo ufw allow ssh sudo ufw limit ssh # Rate-limit to prevent brute force
sudo ufw allow ssh sudo ufw limit ssh # 速率限制,防止暴力破解

3. Allow web traffic

3. 允许Web流量

sudo ufw allow http # Port 80 sudo ufw allow https # Port 443
sudo ufw allow http # 端口80 sudo ufw allow https # 端口443

4. Allow from specific IP (e.g., database access)

4. 允许特定IP访问(例如数据库访问)

sudo ufw allow from 192.168.1.100 to any port 5432
sudo ufw allow from 192.168.1.100 to any port 5432

5. Enable firewall

5. 启用防火墙

sudo ufw enable
sudo ufw enable

6. Verify rules

6. 验证规则

sudo ufw status verbose

For complete UFW patterns, see references/ufw-patterns.md
sudo ufw status verbose

完整UFW配置模式详见references/ufw-patterns.md

nftables (Modern Linux)

nftables(现代Linux)

nftables
#!/usr/sbin/nft -f
nftables
#!/usr/sbin/nft -f

/etc/nftables.conf

/etc/nftables.conf

flush ruleset
table inet filter { chain input { type filter hook input priority 0; policy drop;
    # Accept loopback
    iif "lo" accept

    # Accept established connections (stateful)
    ct state established,related accept

    # Drop invalid packets
    ct state invalid drop

    # Allow SSH
    tcp dport 22 accept

    # Allow HTTP/HTTPS
    tcp dport { 80, 443 } accept

    # Log dropped packets
    log prefix "nftables-drop: " drop
}

chain forward {
    type filter hook forward priority 0; policy drop;
}

chain output {
    type filter hook output priority 0; policy accept;
}
}

Apply: `sudo nft -f /etc/nftables.conf`
Enable on boot: `sudo systemctl enable nftables`

For advanced patterns (sets, maps), see references/nftables-patterns.md
flush ruleset
table inet filter { chain input { type filter hook input priority 0; policy drop;
    # 接受回环接口流量
    iif "lo" accept

    # 接受已建立的连接(有状态)
    ct state established,related accept

    # 丢弃无效数据包
    ct state invalid drop

    # 允许SSH
    tcp dport 22 accept

    # 允许HTTP/HTTPS
    tcp dport { 80, 443 } accept

    # 记录丢弃的数据包
    log prefix "nftables-drop: " drop
}

chain forward {
    type filter hook forward priority 0; policy drop;
}

chain output {
    type filter hook output priority 0; policy accept;
}
}

应用配置:`sudo nft -f /etc/nftables.conf`
开机自启:`sudo systemctl enable nftables`

高级配置模式(集合、映射)详见references/nftables-patterns.md

AWS Security Groups (Terraform)

AWS安全组(Terraform)

hcl
undefined
hcl
undefined

Web server security group

Web服务器安全组

resource "aws_security_group" "web" { name = "web-server-sg" description = "Security group for web servers" vpc_id = aws_vpc.main.id

Allow HTTP/HTTPS from anywhere

ingress { description = "HTTPS from anywhere" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] }

Allow SSH from bastion only

ingress { description = "SSH from bastion" from_port = 22 to_port = 22 protocol = "tcp" security_groups = [aws_security_group.bastion.id] }

Allow all outbound

egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] }
tags = { Name = "web-server-sg" } }

For Security Groups vs NACLs guide, see references/aws-security-groups.md
resource "aws_security_group" "web" { name = "web-server-sg" description = "Security group for web servers" vpc_id = aws_vpc.main.id

允许来自任意地址的HTTP/HTTPS

ingress { description = "HTTPS from anywhere" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] }

仅允许从堡垒机访问SSH

ingress { description = "SSH from bastion" from_port = 22 to_port = 22 protocol = "tcp" security_groups = [aws_security_group.bastion.id] }

允许所有出站流量

egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] }
tags = { Name = "web-server-sg" } }

安全组与NACL对比指南详见references/aws-security-groups.md

Safety Checklist

安全检查清单

Before enabling any firewall:
  • Always allow SSH before enabling (prevent lockout)
  • Test rules before enabling (dry-run when possible)
  • Enable logging for debugging
  • Document rules in version control (Git)
  • Verify externally with nmap: 
    nmap -Pn <server-ip>
  • Have console access (cloud) or physical access (on-prem)
  • Start with default deny, explicitly allow required traffic
  • Use rate limiting for SSH (
    ufw limit ssh
    )
启用任何防火墙前:
  • 启用前务必允许SSH(防止锁定)
  • 启用前测试规则(尽可能使用试运行模式)
  • 启用日志用于调试
  • 在版本控制(Git)中记录规则
  • 使用nmap从外部验证:
    nmap -Pn <server-ip>
  • 拥有控制台访问权限(云环境)或物理访问权限(本地服务器)
  • 从默认拒绝开始,显式允许所需流量
  • 对SSH使用速率限制(
    ufw limit ssh

Common Patterns

常见配置模式

Pattern 1: Basic Web Server

模式1:基础Web服务器

Requirements:
  • Allow HTTP (80) and HTTPS (443) from anywhere
  • Allow SSH from specific IP or bastion only
  • Default deny all other inbound traffic
UFW:
bash
sudo ufw default deny incoming
sudo ufw allow from 203.0.113.0/24 to any port 22  # Office IP
sudo ufw allow http
sudo ufw allow https
sudo ufw enable
nftables: See references/nftables-patterns.md for complete example
AWS Security Group: See references/aws-security-groups.md for Terraform module
需求:
  • 允许来自任意地址的HTTP(80)和HTTPS(443)
  • 仅允许从特定IP或堡垒机访问SSH
  • 默认拒绝所有其他入站流量
UFW配置:
bash
sudo ufw default deny incoming
sudo ufw allow from 203.0.113.0/24 to any port 22  # 办公IP
sudo ufw allow http
sudo ufw allow https
sudo ufw enable
nftables配置: 完整示例详见references/nftables-patterns.md
AWS安全组配置: Terraform模块示例详见references/aws-security-groups.md

Pattern 2: Database Server (Private)

模式2:私有数据库服务器

Requirements:
  • Allow database port (5432, 3306, etc.) from app tier only
  • No public internet access
  • SSH from bastion only
See references/database-patterns.md for implementation
需求:
  • 仅允许应用层访问数据库端口(5432、3306等)
  • 禁止公网访问
  • 仅允许从堡垒机访问SSH
实现方法详见references/database-patterns.md

Pattern 3: Bastion Host (Jump Box)

模式3:堡垒机(跳转服务器)

Purpose: Single hardened entry point for SSH access
See references/bastion-pattern.md for complete implementation
用途: SSH访问的单一加固入口点
完整实现方法详见references/bastion-pattern.md

Pattern 4: Egress Filtering

模式4:出站流量过滤

Purpose: Control outbound traffic to prevent data exfiltration
See references/egress-filtering.md for implementation
用途: 控制出站流量,防止数据泄露
实现方法详见references/egress-filtering.md

Key Concepts

核心概念

Stateful Firewalls

有状态防火墙

Track connection state (established, related, new):
  • Automatically allow return traffic
  • Simpler rule configuration
  • Used by: Security Groups, UFW, nftables (default)
跟踪连接状态(已建立、相关、新建):
  • 自动允许返回流量
  • 规则配置更简单
  • 使用场景:安全组、UFW、默认nftables

Stateless Firewalls

无状态防火墙

No connection tracking:
  • Must explicitly allow both directions
  • Must allow ephemeral ports (1024-65535) for return traffic
  • Used by: Network ACLs
不跟踪连接状态:
  • 必须显式允许双向流量
  • 必须允许临时端口(1024-65535)用于返回流量
  • 使用场景:网络ACL

Defense-in-Depth

纵深防御

Layer multiple firewall controls:
  • Cloud: Security Groups + NACLs
  • Host: UFW/nftables + fail2ban
  • Container: NetworkPolicies
多层防火墙控制结合:
  • 云环境: 安全组 + NACL
  • 主机环境: UFW/nftables + fail2ban
  • 容器环境: NetworkPolicies

Rule Evaluation

规则评估逻辑

Security Groups (AWS): All rules evaluated, most permissive wins Network ACLs (AWS): Sequential evaluation, first match wins nftables/iptables: Sequential, first match wins UFW: Sequential by rule number
AWS安全组: 评估所有规则,最宽松的规则生效 AWS网络ACL: 按顺序评估,第一个匹配的规则生效 nftables/iptables: 按顺序评估,第一个匹配的规则生效 UFW: 按规则编号顺序评估

Universal Best Practices

通用最佳实践

  1. Default Deny: Start with deny-all, explicitly allow required traffic
  2. Principle of Least Privilege: Only open necessary ports/IPs
  3. No 0.0.0.0/0 on Sensitive Ports: Never allow SSH/RDP/database from anywhere
  4. Version Control: Store firewall rules in Git
  5. Logging: Enable and monitor firewall logs
  6. Regular Audits: Review rules quarterly, remove unused
  7. Don't Mix Tools: Avoid running iptables and nftables simultaneously
  8. Test Before Production: Use staging environment first
  1. 默认拒绝: 从拒绝所有流量开始,显式允许所需流量
  2. 最小权限原则: 仅开放必要的端口/IP
  3. 敏感端口禁止0.0.0.0/0: 绝不允许从任意地址访问SSH/RDP/数据库
  4. 版本控制: 将防火墙规则存储在Git中
  5. 日志记录: 启用并监控防火墙日志
  6. 定期审计: 每季度审查规则,移除未使用的规则
  7. 不混合工具: 避免同时运行iptables和nftables
  8. 生产前测试: 先在预发布环境测试

Advanced Topics

高级主题

Bastion Host Architecture: See references/bastion-pattern.md for single entry point patterns
DMZ (Demilitarized Zone): See references/dmz-pattern.md for network segmentation
Egress Filtering: See references/egress-filtering.md for outbound traffic control
Kubernetes NetworkPolicies: See references/k8s-networkpolicies.md for pod-to-pod isolation
Migrating iptables to nftables: See references/migration-guide.md for conversion process
Cloud Firewall Comparisons:
  • AWS: references/aws-security-groups.md
  • GCP: references/gcp-firewall.md
  • Azure: references/azure-nsg.md
堡垒机架构: 单一入口点模式详见references/bastion-pattern.md
DMZ(非军事区): 网络分段模式详见references/dmz-pattern.md
出站流量过滤: 出站流量控制方法详见references/egress-filtering.md
Kubernetes NetworkPolicies: Pod间隔离配置详见references/k8s-networkpolicies.md
从iptables迁移到nftables: 转换流程详见references/migration-guide.md
云防火墙对比:
  • AWS:references/aws-security-groups.md
  • GCP:references/gcp-firewall.md
  • Azure:references/azure-nsg.md

Troubleshooting

故障排查

"I locked myself out via SSH":
  • Cloud: Use console/session manager to access
  • On-prem: Physical console access or IPMI/iLO
  • Prevention: Always allow SSH before enabling firewall
Connection timeouts:
  • Check if firewall is blocking traffic: 
    sudo ufw status
    or 
    sudo nft list ruleset
  • Verify service is listening: 
    ss -tuln | grep <port>
  • Test externally: 
    nmap -Pn <ip> -p <port>
  • Check logs: 
    /var/log/ufw.log
    or 
    journalctl -u nftables
AWS: Ephemeral port issues:
  • NACLs need return traffic: Allow 1024-65535 inbound
  • Security Groups are stateful (no ephemeral config needed)
Kubernetes pods can't communicate:
  • Check NetworkPolicies: 
    kubectl get networkpolicies -n <namespace>
  • Verify CNI plugin supports NetworkPolicies (Calico, Cilium)
  • Test without policies first
For complete troubleshooting guide, see references/troubleshooting.md
"我被SSH锁定了":
  • 云环境:使用控制台/会话管理器访问
  • 本地服务器:物理控制台访问或IPMI/iLO
  • 预防措施:启用防火墙前务必允许SSH
连接超时:
  • 检查防火墙是否阻止流量:
    sudo ufw status
    sudo nft list ruleset
  • 验证服务是否在监听:
    ss -tuln | grep <port>
  • 从外部测试:
    nmap -Pn <ip> -p <port>
  • 查看日志:
    /var/log/ufw.log
    journalctl -u nftables
AWS:临时端口问题:
  • NACL需要允许返回流量:允许入站1024-65535端口
  • 安全组是有状态的(无需配置临时端口)
Kubernetes Pod无法通信:
  • 检查NetworkPolicies:
    kubectl get networkpolicies -n <namespace>
  • 验证CNI插件是否支持NetworkPolicies(Calico、Cilium)
  • 先在无规则的情况下测试
完整故障排查指南详见references/troubleshooting.md

Common Mistakes to Avoid

常见错误避免

Allowing 0.0.0.0/0 on SSH/RDP → Use bastion or VPN ❌ Forgetting to enable firewall → Rules configured but not active ❌ Not testing before enabling → Risk of lockout ❌ Missing ephemeral ports in NACLs → Return traffic blocked ❌ Running iptables + nftables → Conflicts and unpredictable behavior ❌ No logging → Can't debug or audit ❌ Large port ranges → Unnecessary attack surface ❌ Not documenting rules → Future confusion
SSH/RDP开放0.0.0.0/0访问 → 使用堡垒机或VPN ❌ 忘记启用防火墙 → 规则已配置但未生效 ❌ 启用前未测试 → 存在锁定风险 ❌ NACL中遗漏临时端口 → 返回流量被阻止 ❌ 同时运行iptables + nftables → 冲突导致不可预测的行为 ❌ 未启用日志 → 无法调试或审计 ❌ 开放大范围端口 → 增加不必要的攻击面 ❌ 未记录规则 → 后续维护混乱

Tool-Specific Commands

工具特定命令

UFW

UFW

bash
undefined
bash
undefined

Status

状态查询

sudo ufw status verbose sudo ufw status numbered
sudo ufw status verbose sudo ufw status numbered

Add rules

添加规则

sudo ufw allow <port>/<protocol> sudo ufw allow from <ip> to any port <port> sudo ufw limit ssh # Rate limiting
sudo ufw allow <port>/<protocol> sudo ufw allow from <ip> to any port <port> sudo ufw limit ssh # 速率限制

Delete rules

删除规则

sudo ufw delete <rule-number> sudo ufw delete allow 80/tcp
sudo ufw delete <rule-number> sudo ufw delete allow 80/tcp

Logging

日志设置

sudo ufw logging on tail -f /var/log/ufw.log
sudo ufw logging on tail -f /var/log/ufw.log

Reset (disable and remove all rules)

重置(禁用并删除所有规则)

sudo ufw reset
undefined
sudo ufw reset
undefined

nftables

nftables

bash
undefined
bash
undefined

List ruleset

查看规则集

sudo nft list ruleset
sudo nft list ruleset

Load config

加载配置

sudo nft -f /etc/nftables.conf
sudo nft -f /etc/nftables.conf

Flush all rules

清空所有规则

sudo nft flush ruleset
sudo nft flush ruleset

Add rule dynamically

动态添加规则

sudo nft add rule inet filter input tcp dport 8080 accept
sudo nft add rule inet filter input tcp dport 8080 accept

Enable on boot

开机自启

sudo systemctl enable nftables
undefined
sudo systemctl enable nftables
undefined

iptables

iptables

bash
undefined
bash
undefined

List rules

查看规则

sudo iptables -L -v -n sudo iptables -L INPUT --line-numbers
sudo iptables -L -v -n sudo iptables -L INPUT --line-numbers

Add rule

添加规则

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Delete rule

删除规则

sudo iptables -D INPUT <rule-number>
sudo iptables -D INPUT <rule-number>

Save rules

保存规则

sudo netfilter-persistent save # Debian/Ubuntu sudo service iptables save # RHEL/CentOS
undefined
sudo netfilter-persistent save # Debian/Ubuntu sudo service iptables save # RHEL/CentOS
undefined

AWS CLI

AWS CLI

bash
undefined
bash
undefined

List security groups

列出安全组

aws ec2 describe-security-groups --group-ids sg-xxxxx
aws ec2 describe-security-groups --group-ids sg-xxxxx

List NACLs

列出NACL

aws ec2 describe-network-acls --network-acl-ids acl-xxxxx
aws ec2 describe-network-acls --network-acl-ids acl-xxxxx

Add rule to security group

向安全组添加规则

aws ec2 authorize-security-group-ingress
--group-id sg-xxxxx
--protocol tcp
--port 443
--cidr 0.0.0.0/0

For infrastructure as code approach, use Terraform (see references/aws-security-groups.md)
aws ec2 authorize-security-group-ingress
--group-id sg-xxxxx
--protocol tcp
--port 443
--cidr 0.0.0.0/0

基础设施即代码方式推荐使用Terraform(详见references/aws-security-groups.md)

Examples Directory

示例目录

Complete working examples available in:
  • examples/ufw/
    - UFW configuration scripts
  • examples/nftables/
    - nftables rulesets
  • examples/iptables/
    - iptables rule scripts
  • examples/terraform-aws/
    - AWS Security Groups and NACLs
  • examples/terraform-gcp/
    - GCP firewall rules
  • examples/terraform-azure/
    - Azure NSGs
  • examples/kubernetes/
    - NetworkPolicy manifests
完整可用示例位于:
  • examples/ufw/
    - UFW配置脚本
  • examples/nftables/
    - nftables规则集
  • examples/iptables/
    - iptables规则脚本
  • examples/terraform-aws/
    - AWS安全组和NACL
  • examples/terraform-gcp/
    - GCP防火墙规则
  • examples/terraform-azure/
    - Azure NSG
  • examples/kubernetes/
    - NetworkPolicy清单

Integration Points

集成点

Related Skills:
  • security-hardening - Firewalls are one component of server hardening. See security-hardening skill for SSH hardening, fail2ban, auditd, and SELinux.
  • building-ci-pipelines - CI runners need network access to repos and artifact stores. Configure firewall rules for self-hosted runners.
  • deploying-applications - Applications need firewall rules for service exposure. See deploying-applications for integration.
  • infrastructure-as-code - Manage firewalls as code with Terraform/CloudFormation. See infrastructure-as-code for IaC best practices.
  • kubernetes-operations - Advanced K8s networking beyond basic NetworkPolicies. See kubernetes-operations for Services, Ingress, and CNI configuration.
  • network-architecture - Broader network design patterns. See network-architecture for VPC design, subnets, and routing.
相关技能:
  • security-hardening - 防火墙是服务器加固的组成部分。详见security-hardening技能中的SSH加固、fail2ban、auditd和SELinux配置。
  • building-ci-pipelines - CI运行器需要访问代码仓库和制品存储的网络权限。为自托管运行器配置防火墙规则。
  • deploying-applications - 应用暴露需要配置防火墙规则。详见deploying-applications技能中的集成方法。
  • infrastructure-as-code - 使用Terraform/CloudFormation以代码方式管理防火墙。详见infrastructure-as-code技能中的IaC最佳实践。
  • kubernetes-operations - 基础NetworkPolicies之外的高级K8s网络配置。详见kubernetes-operations技能中的Services、Ingress和CNI配置。
  • network-architecture - 更广泛的网络设计模式。详见network-architecture技能中的VPC设计、子网和路由配置。

Reference Files

参考文件

Tool-Specific Guides:
  • references/ufw-patterns.md - Complete UFW guide with examples
  • references/nftables-patterns.md - nftables syntax, sets, maps, logging
  • references/iptables-patterns.md - iptables basics and migration path
  • references/migration-guide.md - Convert iptables to nftables
Cloud Provider Guides:
  • references/aws-security-groups.md - Security Groups vs NACLs with Terraform
  • references/gcp-firewall.md - GCP VPC firewall rules
  • references/azure-nsg.md - Azure Network Security Groups
Advanced Patterns:
  • references/bastion-pattern.md - Jump box architecture
  • references/dmz-pattern.md - Network segmentation with DMZ
  • references/egress-filtering.md - Outbound traffic control
  • references/k8s-networkpolicies.md - Kubernetes pod isolation
Support:
  • references/troubleshooting.md - Common issues and solutions
  • references/decision-tree.md - Visual guide for tool selection
工具特定指南:
  • references/ufw-patterns.md - 完整UFW指南及示例
  • references/nftables-patterns.md - nftables语法、集合、映射、日志
  • references/iptables-patterns.md - iptables基础及迁移路径
  • references/migration-guide.md - iptables转nftables指南
云厂商指南:
  • references/aws-security-groups.md - 安全组与NACL对比及Terraform示例
  • references/gcp-firewall.md - GCP VPC防火墙规则
  • references/azure-nsg.md - Azure网络安全组
高级模式:
  • references/bastion-pattern.md - 跳转服务器架构
  • references/dmz-pattern.md - DMZ网络分段
  • references/egress-filtering.md - 出站流量控制
  • references/k8s-networkpolicies.md - Kubernetes Pod隔离
支持文档:
  • references/troubleshooting.md - 常见问题及解决方案
  • references/decision-tree.md - 工具选择可视化指南