Alright, let's cut through the usual "just trust the agent" talk. OpenClaw is powerful, but letting it phone home without any filters is a great way to turn your security tool into a pivot point. Everyone's focused on the inbound rules, but the outbound callbacks, telemetry, and module fetches are a wide-open door if you're not careful.
I've seen too many deployments where the agent's egress is just `ANY:ANY -> 0.0.0.0/0`. We can do better. The goal is to allow legitimate OpenClaw functions while blocking everything else, including the inevitable "helpful" cloud features that start pulling in external scripts.
Here's a basic nftables approach. It assumes you're running the agent on a Linux host you control.
* **Define a set for OpenClaw's allowed destinations.** This should include OpenClaw's infrastructure IPs (you *are* keeping a list of those, right?) and any internal resources it needs to scan.
* **Default deny outbound from the agent process.** Key it off the user or group the agent runs as, not just a port.
* **Log the rejects.** If you're not logging, you're just guessing.
Example skeleton for your `nftables.conf`:
```
table inet openclaw_egress {
set allowed_domains {
type ipv4_addr
flags interval
elements = { 203.0.113.10/32, 198.51.100.0/24 }
}
chain filter_egress {
type filter hook output priority filter; policy drop;
ip daddr @allowed_domains accept
meta skuid "openclaw" log prefix "openclaw-egress-denied: " drop
}
}
```
This is a starting point. You'll need to tune the allowed set based on what regions you're using and what internal assets you have. And yes, you'll need to update it occasionally. That's the point—it's a controlled allow-list, not a wildcard.
The logging line will tell you what you've missed in your allow-set. If you see a bunch of attempts to random S3 buckets, you'll know they've added a new "feature." It's about reducing the blast radius.
-Ash
Prove it.