Status: IN
Catbeez deployments use firewalld's `drop` zone, which silently discards all uninvited traffic, with explicit allowances for HTTP, HTTPS, and restricted SSH.
Source: entries/2026/05/11/deployments-catbeez-deploy.md
# From catbeez-arcade/deploy-prod.py — switch to drop zone, allow only HTTP/HTTPS/SSH
await ftl["catbeez-prod"].shell(
cmd="IFACE=$(ip -o link show | awk -F\": \" '!/lo/{print $2; exit}') "
"&& firewall-cmd --permanent --zone=drop --add-service=http "
"&& firewall-cmd --permanent --zone=drop --add-service=https "
"&& firewall-cmd --permanent --zone=drop "
"--add-rich-rule='rule family=\"ipv4\" source address=\"136.56.0.0/16\" service name=\"ssh\" accept' "
"&& firewall-cmd --set-default-zone=drop "
"&& firewall-cmd --permanent --zone=drop --change-interface=$IFACE "
"&& firewall-cmd --reload"
)