Firewall Rules
Configuring firewall rules is the most critical part of OpenClaw security hardening. The core principle is "deny by default and allow on demand". Only necessary ports are enabled, and all other ports are blocked.
The following configurations may affect external access. If external access is required, you are advised to use an allowlist mechanism to permit only necessary IP addresses or ports.
Procedure
- System firewall (UFW – Ubuntu/Debian)
sudo ufw allow from 127.0.0.1 to any port 18789 sudo ufw default deny incoming sudo ufw default deny forward sudo ufw enable
- iptables (Generic Linux)
- Set the default policy to discard all inbound and forwarded traffic and allow only outbound traffic.
sudo iptables -P INPUT DROP sudo iptables -P FORWARD DROP sudo iptables -P OUTPUT ACCEPT
- Allow local loop back traffic.
sudo iptables -A INPUT -i lo -j ACCEPT
- Save the rules (Ubuntu/Debian).
sudo apt install iptables-persistent -y sudo netfilter-persistent save
- Set the default policy to discard all inbound and forwarded traffic and allow only outbound traffic.
Parent topic: Manual Configuration Items