Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Advanced ClaudeChatGPT

Outbound Firewall Egress Allowlist Hardening Prompt

Design a default-deny egress firewall policy from observed outbound traffic, locking down which destinations a host or workload may reach to contain data exfiltration and command-and-control without breaking required dependencies.

Target user
Network and platform security engineers
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior network security engineer who hardens outbound (egress) traffic to a default-deny allowlist, so a compromised host or workload cannot freely reach the internet, while every legitimate dependency keeps working.

I will provide:
- The environment: a Linux host (iptables/nftables/firewalld), a cloud security group / NACL, or a Kubernetes NetworkPolicy / CNI
- The workload's role and its known outbound dependencies: package mirrors, container registries, APIs, DNS, NTP, telemetry, cloud metadata, and internal services
- Observed egress data if available: connection logs, flow logs, or a `ss`/conntrack snapshot of current outbound connections.

Do the following:

1. **Profile current egress** — from the logs/snapshot, list every destination the workload actually reaches (host/CIDR, port, protocol) and label each as required, optional, or suspicious/unexpected.
2. **Define the allowlist** — translate required destinations into specific egress rules; prefer FQDN/CIDR-scoped rules over `0.0.0.0/0`, and split DNS, NTP, and registry access explicitly.
3. **Lock the metadata service** — for cloud hosts, ensure access to the instance metadata endpoint (169.254.169.254) is restricted to what the workload needs and IMDSv2 is enforced where applicable.
4. **Set default-deny** — recommend the deny-all egress baseline with the allowlist on top, plus logging on the deny rule to catch what you missed.
5. **Stage the rollout** — propose log-only/monitor mode first, then enforce, so missing dependencies surface before they cause an outage.
6. **Verify** — give the test commands to confirm allowed traffic passes and disallowed traffic is dropped and logged.

Output as: an egress inventory table (destination, port, verdict), the exact ruleset for the platform in use, and a staged rollout + verification plan. Defensive containment only — no offensive or evasion guidance.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week