How to Set Up Firewall Rules for OpenClaw
Firewall rules are your first line of defense against unauthorized access. By default, many systems have permissive firewall policies that expose services to the internet. This guide shows you how to configure host-based firewalls (ufw on Linux, pf on macOS) to lock down OpenClaw, allow only necessary ports, restrict access by source IP, and handle Docker's network routing quirks that can bypass your firewall.
Why This Is Hard to Do Yourself
These are the common pitfalls that trip people up.
Too many open ports
Default installs often leave unnecessary ports exposed, creating attack surface.
Docker bypasses firewalls
Docker manipulates iptables directly, potentially bypassing ufw rules unless configured correctly.
Public vs private IPs
Misconfigured firewalls block internal traffic or expose services to the wrong network.
OS differences
Linux uses ufw/iptables, macOS uses pf, Windows uses Windows Firewall โ each with different syntax.
Step-by-Step Guide
Audit currently open ports
See what's exposed before making changes.
# On Linux:
sudo ss -tuln
# On macOS:
sudo lsof -iTCP -sTCP:LISTEN -n -P
# Check from external network:
nmap -sT your-public-ipWarning: If nmap shows unexpected open ports (3000, 8080, 5432), your firewall is misconfigured or disabled. Fix this immediately.
Configure ufw (Ubuntu/Debian)
Set up uncomplicated firewall with default-deny policy.
# Enable ufw
sudo ufw enable
# Default: deny all incoming, allow outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (so you don't lock yourself out)
sudo ufw allow 22/tcp
# Allow only HTTPS if using reverse proxy
sudo ufw allow 443/tcp
# Check status
sudo ufw status verboseRestrict OpenClaw port by source IP
Allow port 3000 only from specific IPs or networks.
# Allow from Tailscale network only:
sudo ufw allow from 100.64.0.0/10 to any port 3000 proto tcp
# Allow from specific IP:
sudo ufw allow from 203.0.113.5 to any port 3000 proto tcp
# Allow from internal network:
sudo ufw allow from 192.168.1.0/24 to any port 3000 proto tcpConfigure firewall for Docker
Prevent Docker from bypassing ufw.
# Edit /etc/ufw/after.rules and add BEFORE the COMMIT line:
*filter
:DOCKER-USER - [0:0]
# Allow from Tailscale only
-A DOCKER-USER -i tailscale0 -j ACCEPT
# Drop everything else
-A DOCKER-USER -j DROP
COMMIT
# Reload ufw:
sudo ufw reload
# Restart Docker:
sudo systemctl restart dockerWarning: Docker modifies iptables directly. Without DOCKER-USER chain rules, your ufw rules will be bypassed for published container ports.
Test firewall rules
Verify that unwanted traffic is blocked.
# From external network (should timeout or be refused):
curl http://your-public-ip:3000
# From allowed IP/network (should succeed):
curl http://your-tailscale-ip:3000
# Check logs:
sudo tail -f /var/log/ufw.logSet up logging and monitoring
Track blocked connection attempts.
# Enable ufw logging:
sudo ufw logging on
# Monitor blocked attempts:
sudo tail -f /var/log/ufw.log | grep BLOCK
# Set up alerts for repeated blocks (use fail2ban or custom script)Firewall Rules Are Error-Prone
One wrong rule and you're either locked out or wide open. We configure production-grade firewall policies with logging, monitoring, and failsafes โ tested and verified.
Get matched with a specialist who can help.
Sign Up for Expert Help โ