What if I lock myself out with ufw?

If you have physical or console access, disable ufw with "sudo ufw disable". For cloud VMs, use the cloud provider's console/serial access. ALWAYS allow SSH before enabling ufw.

Does ufw work with Docker?

Yes, but you must configure the DOCKER-USER chain (Step 4). Otherwise, Docker publishes ports directly to iptables, bypassing ufw rules.

Should I use firewalld instead of ufw?

firewalld is common on RHEL/CentOS. It's more complex but more flexible. For most OpenClaw deployments, ufw is simpler and sufficient.

Can I use cloud provider firewalls instead?

Yes, and you should use both. Cloud firewalls (AWS Security Groups, GCP Firewall Rules) protect at the network level. Host-based firewalls (ufw) protect individual machines. Defense-in-depth.

🛡️Security & Hardening

How to Set Up Firewall Rules for OpenClaw

Intermediate30-60 minutesUpdated 2025-01-10

Firewall rules are your first line of defense against unauthorized access. By default, many systems have permissive firewall policies that expose services to the internet. This guide shows you how to configure host-based firewalls (ufw on Linux, pf on macOS) to lock down OpenClaw, allow only necessary ports, restrict access by source IP, and handle Docker's network routing quirks that can bypass your firewall.

Why This Is Hard to Do Yourself

These are the common pitfalls that trip people up.

🚪

Too many open ports

Default installs often leave unnecessary ports exposed, creating attack surface.

🐳

Docker bypasses firewalls

Docker manipulates iptables directly, potentially bypassing ufw rules unless configured correctly.

🌐

Public vs private IPs

Misconfigured firewalls block internal traffic or expose services to the wrong network.

🔧

OS differences

Linux uses ufw/iptables, macOS uses pf, Windows uses Windows Firewall — each with different syntax.

Step-by-Step Guide

Step 1

Audit currently open ports

See what's exposed before making changes.

Warning: If nmap shows unexpected open ports (3000, 8080, 5432), your firewall is misconfigured or disabled. Fix this immediately.

Step 2

Configure ufw (Ubuntu/Debian)

Set up uncomplicated firewall with default-deny policy.

Step 3

Restrict OpenClaw port by source IP

Allow port 3000 only from specific IPs or networks.

Step 4

Configure firewall for Docker

Prevent Docker from bypassing ufw.

Warning: Docker modifies iptables directly. Without DOCKER-USER chain rules, your ufw rules will be bypassed for published container ports.

Step 5

Test firewall rules

Verify that unwanted traffic is blocked.

Step 6

Set up logging and monitoring

Track blocked connection attempts.

Firewall Rules Are Error-Prone

One wrong rule and you're either locked out or wide open. We configure production-grade firewall policies with logging, monitoring, and failsafes — tested and verified.

Browse Security experts →

Learn more about our expert service →

Get matched with a specialist who can help.

Frequently Asked Questions

Related Guides

🛡️Security & Hardening

How to Set Up Tailscale with OpenClaw

Intermediate30-60 minutes

🛡️Security & Hardening

OpenClaw Security Checklist for Production

Intermediate1-2 hours