Firewall to block all internet traffic except for domains I allow?

[geoffrey4444]

I'm interested in using apple containers as an isolated environment for running AI agents, such as Claude Code and OpenAI Codex CLI. The idea is to block most internet traffic, but to allow traffic to e.g. claude.ai servers, or openai servers, but nothing else.

Anthropic has a reference implementation of a container that sets up firewall rules to accomplish this, but they note that it requires --cap-add=NET_ADMIN and --cap-add=NET_RAW passed to docker run. But container run doesn't have these options.

I wonder if it's possible to accomplish this goal in a different way? Perhaps since in Apple containers each container gets its own IP address, there's a way to use that on the macOS side?

Any help would be most appreciated?

[camparker]

I'm interested in using apple containers as an isolated environment for running AI agents, such as Claude Code and OpenAI Codex CLI. The idea is to block most internet traffic, but to allow traffic to e.g. claude.ai servers, or openai servers, but nothing else.

Anthropic has a reference implementation of a container that sets up firewall rules to accomplish this, but they note that it requires --cap-add=NET_ADMIN and --cap-add=NET_RAW passed to docker run. But container run doesn't have these options.

I wonder if it's possible to accomplish this goal in a different way? Perhaps since in Apple containers each container gets its own IP address, there's a way to use that on the macOS side?

Any help would be most appreciated?

I really wish there was some feedback on this, as I am also looking to solve the same issue for myself.

[jglogan]

Have you just tried setting up a container with firewall rules? You might run into issues, but container is running your workload in a virtual machine running a vanilla Linux kernel. You can do anything in it to the extent that the virtual machine and hypervisor isolation allows you, further limited by the features available by the kernel compile configuration.

Docker has --cap-add for containers because multiple Linux containers (namespace/cgroup/pivot_root isolation) are sharing the same VM and kernel. With container, no other processes are sharing your workload, and for that reason there is no capability restriction.

[jamesmacaulay]

I've been working on this same use case, sandboxing Claude Code with a network allowlist. The dual-homed proxy approach from #1170 works well for filtering internet access (agent on --internal network, Squid proxy dual-homed on internal + default).

The one gap I've hit is that the host gateway (e.g. 192.168.128.1) is still reachable from the --internal network, so any host service bound to 0.0.0.0 is accessible from inside the agent VM without going through the proxy. Guest-side iptables would work for most cases, but an agent running as root could of course bypass them. I tried blocking with pf rules on the host but they don't seem to filter vmnet-bridged traffic.

I would love a way to enforce this at the vmnet/hypervisor level, ideally through a network mode with no host presence, or alternatively with host-side traffic filtering for vmnet interfaces.

[jglogan]

@jamesmacaulay I'll look into this. As you suggest, this is something that happens underneath container and Containerization. If you get a chance, could you create an enhancement request for it?