Firewall to block all internet traffic except for domains I allow?

[geoffrey4444]

I'm interested in using apple containers as an isolated environment for running AI agents, such as Claude Code and OpenAI Codex CLI. The idea is to block most internet traffic, but to allow traffic to e.g. claude.ai servers, or openai servers, but nothing else.

Anthropic has a reference implementation of a container that sets up firewall rules to accomplish this, but they note that it requires --cap-add=NET_ADMIN and --cap-add=NET_RAW passed to docker run. But container run doesn't have these options.

I wonder if it's possible to accomplish this goal in a different way? Perhaps since in Apple containers each container gets its own IP address, there's a way to use that on the macOS side?

Any help would be most appreciated?

[camparker]

I'm interested in using apple containers as an isolated environment for running AI agents, such as Claude Code and OpenAI Codex CLI. The idea is to block most internet traffic, but to allow traffic to e.g. claude.ai servers, or openai servers, but nothing else.

Anthropic has a reference implementation of a container that sets up firewall rules to accomplish this, but they note that it requires --cap-add=NET_ADMIN and --cap-add=NET_RAW passed to docker run. But container run doesn't have these options.

I wonder if it's possible to accomplish this goal in a different way? Perhaps since in Apple containers each container gets its own IP address, there's a way to use that on the macOS side?

Any help would be most appreciated?

I really wish there was some feedback on this, as I am also looking to solve the same issue for myself.

[jglogan]

Have you just tried setting up a container with firewall rules? You might run into issues, but container is running your workload in a virtual machine running a vanilla Linux kernel. You can do anything in it to the extent that the virtual machine and hypervisor isolation allows you, further limited by the features available by the kernel compile configuration.

Docker has --cap-add for containers because multiple Linux containers (namespace/cgroup/pivot_root isolation) are sharing the same VM and kernel. With container, no other processes are sharing your workload, and for that reason there is no capability restriction.