gh-aw-firewall-debug

What problem does it solve?

gh-aw-firewall-debug helps you identify why the AWF (AWF firewall) blocks traffic by inspecting running Docker containers, analyzing Squid access logs, checking iptables rules, and correlating network symptoms like TCP_DENIED and DNS failures.

Core Features & Use Cases

• Container and network state inspection: Verify whether awf-squid and awf-agent are running as expected and inspect the awf-net Docker network.
• Squid log-driven traffic diagnosis: Extract and analyze TCP_DENIED entries to pinpoint the blocked destination or missing allowlist coverage (including subdomain issues).
• iptables and kernel-level block correlation: Inspect FW_WRAPPER and check dmesg for FW_BLOCKED and FW_DNS to distinguish HTTP-layer problems from firewall/DNS issues.
• Use case: When an agentic workflow run fails with a blocked egress error, use this skill to determine whether the block is due to missing domain/subdomain allowlisting or a DNS/iptables rule mismatch.

Quick Start

Use the skill to debug an AWF egress block by running: sudo awf --allow-domains github.com --log-level debug --keep-containers "curl https://api.github.com" and then inspect the Squid logs and iptables.