This page explains what the Firewall Hardening Toolkit does, how the Windows 11, macOS, and Ubuntu assistants
work together, and how to use the generated scripts safely on systems you manage. It is a companion to the main
toolkit page that lists each firewall baseline card. :contentReference[oaicite:0]{index=0}
Overview
What the Firewall Hardening Toolkit actually builds
The Firewall Hardening Toolkit brings three host firewall assistants into one place. Each assistant
generates a script that applies a clear, repeatable baseline for a specific platform.
You choose Windows 11, macOS, or Ubuntu. The toolkit then opens a matching assistant that builds a script
tailored to that platform’s native firewall:
Windows 11: PowerShell script for Windows Defender Firewall.
macOS: bash script for the built in Application Firewall using socketfilterfw.
Ubuntu: bash script for UFW, the uncomplicated firewall front end to iptables.
In every case, the focus stays on host firewall controls at the operating system boundary.
The toolkit does not change your router, cloud security groups, or hardware firewalls.
Desktop firewall baselinesWindows 11 · macOS · UbuntuBackup and rollback awareLocal only, no telemetry
Audience
Who this toolkit is for (and where to be careful)
This toolkit is designed for people who want stronger, default-deny style firewall behavior on systems
they own or are allowed to manage, without building every rule or command from scratch.
Good fit
Home users hardening laptops, desktops, or home lab VMs.
Independent professionals managing a handful of workstations themselves.
Small business owners securing a small fleet without full blown central management.
Security minded users who want readable scripts they can version control and refine.
Use with caution
Corporate or school devices already governed by GPO, MDM, or other baselines.
Production servers with complex firewall rules and formal change-control processes.
Shared machines where other people rely on inbound services such as file sharing or remote access.
Never bypass organizational policies, device management profiles, or firewall change
boards with these scripts. Treat this toolkit as a helper for systems you are responsible for and
explicitly allowed to configure.
How it works
How the firewall assistants generate and apply their scripts
The Firewall Hardening Toolkit runs entirely in your browser. When you follow a card into one of the
assistants and click a button such as Generate script, the tool assembles its output
locally in the page. You can copy, download, or review the script before running anything.
Windows 11 firewall assistant
Generates a PowerShell script for Windows Defender Firewall that enforces a stricter inbound posture
and can preserve more permissive outbound defaults if you choose.
Typically saves as something like firewall-baseline-win11.ps1.
You run it from an elevated PowerShell window and use commands such as
.\firewall-baseline-win11.ps1 apply
to create a backup and apply the baseline.
When you need to undo changes created by the script, you use
.\firewall-baseline-win11.ps1 rollback
to restore the most recent backup the script created.
The assistant does not override Group Policy or MDM rules. If those are present, they may win over the
settings in the script.
macOS and Ubuntu firewall assistants
The macOS assistant generates a bash script such as
macos_firewall_stig.sh that uses socketfilterfw to enable the Application
Firewall, set a default deny inbound posture, toggle stealth mode, and control logging.
You typically mark it executable with
chmod +x macos_firewall_stig.sh
and apply the baseline with
sudo ./macos_firewall_stig.sh apply. Rollback uses
sudo ./macos_firewall_stig.sh rollback.
The Ubuntu assistant generates a bash script such as
firewall-baseline-ubuntu.sh that sets UFW to deny incoming, allow outgoing, and
optionally add rules for SSH, HTTP/HTTPS, Samba, or VNC.
You mark it executable with
chmod +x firewall-baseline-ubuntu.sh, then run
sudo ./firewall-baseline-ubuntu.sh apply
to create a backup and apply the baseline and
sudo ./firewall-baseline-ubuntu.sh rollback
to restore the latest backup.
On both macOS and Ubuntu, rollback routines only affect the firewall configuration they backed up.
They do not modify unrelated system settings, router rules, or cloud firewalls.
Across all three platforms, the intent is the same. The toolkit helps you move from one time changes in
graphical interfaces toward documented, scriptable baselines. You stay in control of when, where, and how
those baselines are applied.
Next steps
Open the toolkit or print these notes
When you are ready, open the Firewall Hardening Toolkit, choose your platform, and start with a non critical
system. Use this about page as a reference while you review each script and decide how strict you want your
firewall posture to be.
This tool includes a curated subset of DISA STIG controls selected for real world use
by home users, entrepreneurs, digital nomads, and small businesses. It is not a full STIG implementation
but a practical baseline designed to reduce your attack surface.
Important notice & Legal disclaimer
This Firewall Hardening Toolkit and its companion pages run entirely in your browser. Your selections and
the generated scripts are not sent to CyberLife Coach, to operating system vendors, or to any third party.
The output is a generic starting point for host firewall security controls and is provided for educational
and informational use only. It is not a substitute for professional advice and does not guarantee compliance
with any standard or policy.
Always test in a safe environment, verify every line, and ensure you have reliable backups before making
changes. Do not apply these settings to employer or school managed devices without explicit approval, and do
not bypass existing GPOs, MDM profiles, configuration profiles, or enterprise change control processes.
No warranty or guaranteesLocal only, no data leaves this device