Can I use dynamic IP allowlists?

Yes. You can configure dynamic allowlists that pull IP ranges from an external source, such as a cloud provider's published IP list. The allowlist updates automatically when the source changes.

What happens to blocked requests?

Blocked requests receive a connection refused response. The request details, including the source IP and requested endpoint, are logged in the network security log for your review.

Do firewall rules affect channel connections like WhatsApp?

Outbound rules can affect channel connections if the channel's servers are not in the allowlist. Make sure to include all channel provider IP ranges in your outbound rules. The Channels panel lists the required IP ranges for each connected channel.

Security

Network Security: Firewall Rules and IP Allowlists

Lock down your OpenClaw agent's network access with firewall rules that control inbound and outbound traffic based on IP addresses and ports.

Deploy OpenClaw See How It Works

What You Will Get

By the end of this guide, your OpenClaw agent will have network-level security controls that restrict who can access it and what external services it can reach. IP allowlists ensure only authorized networks connect to your agent, and outbound rules prevent the agent from reaching unintended destinations.

Network security is a critical layer of defense. Even with strong authentication and encryption, unrestricted network access increases your attack surface. Firewall rules reduce this surface by blocking traffic that should never occur in the first place.

You will configure inbound IP allowlists, set up outbound connection rules, enable network monitoring, and test your rules thoroughly. The result is a network-hardened agent that only communicates with authorized parties.

Step-by-Step Setup

Follow these steps to configure network security.

Review Current Network Configuration

Open the Security tab and navigate to Network Security. The panel shows your current inbound and outbound rules, active connections, and any flagged traffic. Review the defaults to understand what is currently allowed and blocked.

Create an Inbound IP Allowlist

Add the IP addresses or CIDR ranges of networks that should access your agent's API endpoints. Common entries include your office network, your hosting provider's IPs, and any external services that send webhooks. All other inbound traffic will be blocked by default once the allowlist is active.

Configure Outbound Connection Rules

Define which external services your agent is allowed to connect to. List the domains or IP ranges for your model provider, external APIs, webhook destinations, and any other services the agent needs. Blocking outbound connections to unknown destinations prevents data exfiltration if the agent is compromised.

Set Up Port Restrictions

Restrict inbound and outbound traffic to only the necessary ports. Your agent typically needs port 443 for HTTPS traffic. Block all other ports unless a specific integration requires them. Document any non-standard port usage for your team's reference.

Enable Geographic Restrictions

If your users are in specific regions, enable geographic IP filtering to block traffic from regions where you have no users. This reduces noise from automated scanning and attack attempts originating from other geographic areas.

Test Your Rules

After configuring rules, test from both allowed and blocked IP addresses. Verify that allowed IPs can reach the agent and that blocked IPs receive a connection refused error. Also verify that the agent can reach all its configured external services through the outbound rules.

Monitor Network Traffic

Enable network traffic logging to see all connection attempts, both successful and blocked. Review the logs weekly to identify unauthorized access attempts, misconfigured rules, or new services that need to be added to the allowlist.

Tips and Best Practices

Start with Allow, Then Restrict

When first setting up network rules, enable logging without enforcement for a week. This shows you all the traffic patterns so you can create accurate rules before blocking anything. Flipping to enforce mode prematurely can break integrations.

Use CIDR Ranges Instead of Individual IPs

Group related IP addresses into CIDR ranges to keep your allowlist manageable. For example, if your office uses IPs from 10.0.0.1 to 10.0.0.254, use the CIDR range 10.0.0.0/24 instead of listing each IP individually.

Update Rules When Integrations Change

Whenever you add or remove an integration, update your network rules accordingly. Stale rules that allow access to decommissioned services or block access to new ones cause confusion and security gaps.

Document Every Rule

Add a description to each firewall rule explaining why it exists and who requested it. When auditing rules months later, these descriptions prevent you from accidentally removing a rule that is still needed.

Frequently Asked Questions

Data Encryption Connection Issues Debugging Access Control

Ready to get started?

Deploy your own OpenClaw instance in under 60 seconds. No VPS, no Docker, no SSH. Just your personal AI assistant, ready to work.

Deploy OpenClaw View Pricing

Starting at $24.50/mo. Everything included. 3-day money-back guarantee.