Introduction Firewall rules that block legitimate traffic cause service outages that are difficult to diagnose. A single misconfigured rule can break entire application stacks.

Symptoms - Service-to-service communication failing - Connection timeout on specific ports - Traffic works from some sources but not others - Firewall logs show "DROP" for expected-allowed traffic - Recent firewall change correlates with outage

Common Causes - Rule order: deny rule placed before allow rule - Source CIDR not updated after network change - Stateful firewall not tracking established connections - Port range misconfigured (e.g., 8080 vs 80-8080) - NAT rules not updated after IP change

Step-by-Step Fix 1. **Check firewall logs for blocked traffic': ```bash # iptables iptables -L -n -v | grep DROP # AWS Security Group aws ec2 describe-flow-logs --filters Name=resource-id,Values=sg-xxx ```

  1. 1.**Test connectivity with tracing':
  2. 2.```bash
  3. 3.traceroute -T -p 443 <destination-ip>
  4. 4.tcpdump -i eth0 host <destination-ip> and port 443
  5. 5.`
  6. 6.**Add temporary allow rule for testing':
  7. 7.```bash
  8. 8.iptables -I INPUT 1 -s <source-ip> -p tcp --dport <port> -j ACCEPT
  9. 9.# Test connectivity, then make permanent fix
  10. 10.`

Prevention - Use infrastructure as code for firewall rules - Test rules in staging before production - Implement change management for firewall modifications - Monitor firewall DROP rate with alerts - Use network simulation tools for rule impact analysis