docs: add egress filtering documentation#202
Conversation
Explains why AWF uses domain allowlist as primary security control with port restrictions as defense-in-depth. Includes: - Literature citations from Squid Wiki, NIST SP 800-41, CMU SEI - Counter-arguments on port filtering obsolescence (Palo Alto, Gartner NGFW) - Analysis of bypass techniques (SSH over 443, DNS tunneling) - Balanced conclusion with industry best practices Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
💫 TO BE CONTINUED... Smoke Claude was cancelled! Our hero faces unexpected challenges... |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
Test Coverage Report
Coverage ThresholdsThe project has the following coverage thresholds configured:
Coverage report generated by `npm run test:coverage` |
More specific name that accurately describes the content (port vs domain filtering for egress traffic). Avoids confusion with docs/security.md which covers vulnerability reporting policy. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Mossaka
changed the title
|
📰 DEVELOPING STORY: Smoke Copilot reports was cancelled. Our correspondents are investigating the incident... |
|
💥 WHOOSH! Smoke Claude springs into action on this pull request! [Panel 1 begins...] |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Smoke Test Results✅ GitHub MCP - PRs: #190, #188 Status: PASS
|
|
Smoke Test Results - Claude ✅ GitHub MCP: #131, #141 Status: FAIL (Playwright connectivity issue)
|
1 participant
Summary
Adds
docs/egress-filtering.mdexplaining AWF's security model for network filtering, specifically addressing: Why use port restrictions if they can be bypassed?Key points:
Literature Cited
Supporting domain allowlist as primary control:
Supporting port restrictions as defense-in-depth:
Test plan
🤖 Generated with Claude Code