VM0VM0
Experimental

Network Firewall

Control agent network egress with domain and IP-based rules

This is an experimental feature. The configuration and behavior may change in future releases.

The network firewall controls outbound network traffic from your agent sandbox. It protects against prompt injection attacks and data exfiltration by allowing you to specify exactly which domains and IP addresses your agent can access.

Prerequisites

Network firewall requires the VM0 production runner. Add experimental_runner with group: vm0/production to your configuration before enabling the firewall.

Quick Start

Enable the firewall with a simple allowlist:

vm0.yaml
version: "1.0"

agents:
  my-agent:
    framework: claude-code
    experimental_runner: 
      group: vm0/production
    experimental_firewall: 
      enabled: true
      rules: 
        - domain: "*.github.com"
          action: ALLOW
        - final: DENY
    environment:
      CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}

Configuration Fields

FieldTypeRequiredDefaultDescription
enabledbooleanYes-Enable network firewall
rulesarrayNo[]List of firewall rules
experimental_mitmbooleanNofalseEnable HTTPS traffic inspection
experimental_seal_secretsbooleanNofalseEncrypt secrets (requires MITM)

Rule Types

Domain Rules

Match traffic by domain name:

rules:
  - domain: "api.github.com"
    action: ALLOW

Matching behavior:

  • Exact match: api.github.com matches only api.github.com
  • Wildcard: *.github.com matches api.github.com, raw.github.com, and also github.com itself
  • Case-insensitive: GitHub.com matches github.com

IP Rules

Match traffic by IP address or CIDR range:

rules:
  - ip: "192.168.1.100"
    action: ALLOW
  - ip: "10.0.0.0/8"
    action: DENY

Supported formats:

  • Single IP: 1.2.3.4
  • CIDR ranges: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12

Terminal Rules

Set a default action for unmatched traffic:

rules:
  - domain: "*.allowed.com"
    action: ALLOW
  - final: DENY  # Block everything else

The final rule stops evaluation and returns the specified action.

Rule Evaluation

Rules are evaluated top to bottom with first-match-wins semantics:

  1. Each outgoing connection is checked against rules in order
  2. The first matching rule determines the action (ALLOW or DENY)
  3. If no rule matches, traffic is denied by default (zero-trust)

The platform automatically allows essential domains (*.vm0.ai, *.cloudflarestorage.com, and your model provider) before your rules are evaluated.

Auto-Injected Rules

The following domains are automatically allowed to ensure agent functionality:

DomainPurpose
*.vm0.aiVM0 platform communication
*.cloudflarestorage.comVolume and artifact storage
*.anthropic.comClaude API (for claude-code provider)
*.openai.comOpenAI API (for codex provider)

These rules are prepended to your custom rules and cannot be overridden.

Operating Modes

SNI-Only Mode (Default)

The default mode filters traffic at the TLS handshake using Server Name Indication (SNI):

experimental_firewall:
  enabled: true
  # experimental_mitm: false (default)

Characteristics:

  • Filters based on hostname in TLS ClientHello
  • No decryption of HTTPS traffic
  • Blocked connections fail with TLS certificate error
  • Lower overhead, simpler setup

MITM Mode

Enable full HTTPS inspection for detailed logging and control:

experimental_firewall:
  enabled: true
  experimental_mitm: true

Characteristics:

  • Decrypts and inspects all HTTPS traffic
  • Blocked requests return HTTP 403 with "Blocked by firewall"
  • Detailed network logs include URL, method, status, latency
  • Higher overhead, requires CA certificate trust

Secret Sealing

Encrypt environment secrets to prevent exfiltration:

experimental_firewall:
  enabled: true
  experimental_mitm: true
  experimental_seal_secrets: true

Secret sealing requires MITM mode to be enabled.

Viewing Network Logs

View firewall activity using the CLI:

vm0 logs <runId> --network

Options:

  • --tail N - Show last N entries (default: 5, max: 100)
  • --head N - Show first N entries
  • --since TIME - Filter by time (e.g., 5m, 2h, 2024-01-15T10:30:00Z)

SNI mode output:

[2024-01-15T10:30:00] SNI ALLOW api.github.com:443 domain:*.github.com
[2024-01-15T10:30:01] SNI DENY evil.com:443 final:DENY

MITM mode output:

[2024-01-15T10:30:00] GET    200 150ms 2.3KB/45KB https://api.github.com/repos
[2024-01-15T10:30:01] POST   403 5ms   1.2KB/0B   https://evil.com/exfil (BLOCKED)

Example Configurations

Allowlist Pattern

Only allow specific domains, deny everything else:

vm0.yaml
experimental_firewall:
  enabled: true
  rules:
    - domain: "*.github.com"
      action: ALLOW
    - domain: "*.npmjs.org"
      action: ALLOW
    - domain: "registry.npmjs.org"
      action: ALLOW
    - final: DENY

Blocklist Pattern

Block specific networks, allow everything else:

vm0.yaml
experimental_firewall:
  enabled: true
  rules:
    - ip: "10.0.0.0/8"
      action: DENY
    - ip: "192.168.0.0/16"
      action: DENY
    - ip: "172.16.0.0/12"
      action: DENY
    - final: ALLOW

Corporate Environment

Block internal networks and allow only approved external services:

vm0.yaml
experimental_firewall:
  enabled: true
  experimental_mitm: true
  rules:
    # Block internal networks
    - ip: "10.0.0.0/8"
      action: DENY
    - ip: "192.168.0.0/16"
      action: DENY
    # Allow approved services
    - domain: "*.github.com"
      action: ALLOW
    - domain: "*.githubusercontent.com"
      action: ALLOW
    - domain: "*.npmjs.org"
      action: ALLOW
    - domain: "*.pypi.org"
      action: ALLOW
    # Deny everything else
    - final: DENY

Frequently Asked Questions

Codex

Use OpenAI's Codex as your agent framework