Clawker runs every agent in an isolated Docker container with a default-on network firewall. This guide explains the container security controls and how to customize them.
Network Firewall
The firewall is deny-by-default. When enabled, it blocks all outbound traffic — DNS queries for unlisted domains return NXDOMAIN, and TLS connections to unlisted destinations are reset. Only domains you explicitly allowlist are reachable.
This is intentional. The hardcoded allowlist is kept to the bare minimum required for Claude Code itself to function. Everything else — including GitHub, npm, PyPI, or any other service your project needs — must be explicitly configured by you.
See the Firewall guide for the full architecture, configuration, CLI commands, and troubleshooting.
Hardcoded Allowed Domains
These are the only domains allowed by default — they are required for Claude Code to function (API access, OAuth, telemetry):
| Domain | Purpose |
|---|
api.anthropic.com | Claude API |
platform.claude.com | OAuth token exchange |
claude.ai | OAuth authorization |
sentry.io | Error tracking |
statsig.anthropic.com | Feature flags |
statsig.com | Feature flags |
GitHub, npm, PyPI, and all other services are NOT hardcoded. The generated clawker.yaml template includes github.com and api.github.com as a convenience starting point, but these are project-level config entries — not system defaults. If you remove them from your config or start from scratch, GitHub will be blocked.You must explicitly add every domain your agent needs to reach via add_domains in your .clawker.yaml or clawker firewall add <domain> at runtime. See Firewall Configuration for details. Disabling the Firewall
The global firewall toggle lives in settings.yaml (not the project config):
# ~/.config/clawker/settings.yaml
firewall:
enable: false
Disabling the firewall removes all outbound network restrictions. The agent can reach any endpoint on the internet. Only do this in trusted environments where you accept the risk of unrestricted egress.
Agent Awareness Prompt
Every Clawker container image includes an agent prompt file at /etc/claude-code/CLAUDE.md. This file is automatically loaded by Claude Code and gives the agent awareness of its containerized environment:
- What it can and cannot do (filesystem, network, Docker)
- How to diagnose firewall blocks (NXDOMAIN, connection resets, certificate errors)
- What
clawker firewall commands the user can run on the host to unblock domains
- Environment variables available for troubleshooting (
CLAWKER_PROJECT, CLAWKER_AGENT, CLAWKER_FIREWALL_ENABLED, etc.)
This means when the agent hits a blocked domain, it can explain the problem and suggest the right clawker firewall add command — without the user needing to know the details.
Docker Socket
By default, the Docker socket is not mounted into containers:
security:
docker_socket: false
docker_socket: true mounts /var/run/docker.sock read-write into the container. This gives the agent full control over your Docker daemon — it can create, modify, and delete any container, image, or volume on your host. Only enable this if your workflow genuinely requires Docker-in-Docker.
Linux Capabilities
The cap_add field adds Linux capabilities to the container. The defaults are required for the firewall:
security:
cap_add:
- "NET_ADMIN" # Required for iptables DNAT rules (traffic redirection to firewall proxy)
- "NET_RAW" # Required for raw socket operations
Host Proxy
The host proxy is a lightweight daemon that runs on your host machine and forwards credentials into containers. It’s enabled by default:
security:
enable_host_proxy: true
gh auth login). See the Credential Forwarding guide for details.
Troubleshooting
For firewall troubleshooting, see the Firewall guide.