{"id":"catbeez-firewalld-drop-zone","text":"Catbeez deployments use firewalld's `drop` zone, which silently discards all uninvited traffic, with explicit allowances for HTTP, HTTPS, and restricted SSH.","truth_value":"IN","source":"entries/2026/05/11/deployments-catbeez-deploy.md","source_url":"","source_hash":"","justifications":[],"dependents":[],"metadata":{"example":"# From catbeez-arcade/deploy-prod.py — switch to drop zone, allow only HTTP/HTTPS/SSH\nawait ftl[\"catbeez-prod\"].shell(\n    cmd=\"IFACE=$(ip -o link show | awk -F\\\": \\\" '!/lo/{print $2; exit}') \"\n        \"&& firewall-cmd --permanent --zone=drop --add-service=http \"\n        \"&& firewall-cmd --permanent --zone=drop --add-service=https \"\n        \"&& firewall-cmd --permanent --zone=drop \"\n        \"--add-rich-rule='rule family=\\\"ipv4\\\" source address=\\\"136.56.0.0/16\\\" service name=\\\"ssh\\\" accept' \"\n        \"&& firewall-cmd --set-default-zone=drop \"\n        \"&& firewall-cmd --permanent --zone=drop --change-interface=$IFACE \"\n        \"&& firewall-cmd --reload\"\n)"},"explanation":{"steps":[{"node":"catbeez-firewalld-drop-zone","truth_value":"IN","reason":"premise"}]}}