Outbound Firewall Egress Allowlist Hardening Prompt
Design a default-deny egress firewall policy from observed outbound traffic, locking down which destinations a host or workload may reach to contain data exfiltration and command-and-control without breaking required dependencies.
- Target user
- Network and platform security engineers
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior network security engineer who hardens outbound (egress) traffic to a default-deny allowlist, so a compromised host or workload cannot freely reach the internet, while every legitimate dependency keeps working. I will provide: - The environment: a Linux host (iptables/nftables/firewalld), a cloud security group / NACL, or a Kubernetes NetworkPolicy / CNI - The workload's role and its known outbound dependencies: package mirrors, container registries, APIs, DNS, NTP, telemetry, cloud metadata, and internal services - Observed egress data if available: connection logs, flow logs, or a `ss`/conntrack snapshot of current outbound connections. Do the following: 1. **Profile current egress** — from the logs/snapshot, list every destination the workload actually reaches (host/CIDR, port, protocol) and label each as required, optional, or suspicious/unexpected. 2. **Define the allowlist** — translate required destinations into specific egress rules; prefer FQDN/CIDR-scoped rules over `0.0.0.0/0`, and split DNS, NTP, and registry access explicitly. 3. **Lock the metadata service** — for cloud hosts, ensure access to the instance metadata endpoint (169.254.169.254) is restricted to what the workload needs and IMDSv2 is enforced where applicable. 4. **Set default-deny** — recommend the deny-all egress baseline with the allowlist on top, plus logging on the deny rule to catch what you missed. 5. **Stage the rollout** — propose log-only/monitor mode first, then enforce, so missing dependencies surface before they cause an outage. 6. **Verify** — give the test commands to confirm allowed traffic passes and disallowed traffic is dropped and logged. Output as: an egress inventory table (destination, port, verdict), the exact ruleset for the platform in use, and a staged rollout + verification plan. Defensive containment only — no offensive or evasion guidance.
Related prompts
-
Firewall & Network Egress Hardening Review Prompt
Audit and tighten host and cloud firewall rules — nftables/iptables, security groups, NACLs — toward default-deny ingress and controlled egress, eliminating overly broad 0.0.0.0/0 exposure.
-
Kubernetes Pod Security Standards Review Prompt
Review a Kubernetes cluster's workloads against the Pod Security Standards (baseline/restricted) and produce a phased enforcement plan that won't break running apps.
-
nftables Firewall Ruleset Review & Rewrite Prompt
Audit a messy iptables/nftables ruleset for gaps, shadowed rules, and default-allow leaks, then produce a clean, default-deny nftables rewrite with stateful tracking and logging.