fix: Relax inbound firewall and add tamper protection

stranma · stranma · commit 5ef9084989b6 · 2026-03-15T16:08:33.000+01:00
diff --git a/.claude/hooks/devcontainer-policy-blocker.sh b/.claude/hooks/devcontainer-policy-blocker.sh
@@ -102,6 +102,21 @@ for pattern in "${BLOCKED_DOCKER_ESCAPE[@]}"; do
     fi
 done
 
+# --- Firewall tampering (all tiers) ---
+BLOCKED_FIREWALL=(
+    'iptables '
+    'ip6tables '
+    'ipset '
+    'nft '
+    'init-firewall'
+)
+
+for pattern in "${BLOCKED_FIREWALL[@]}"; do
+    if echo "$COMMAND" | grep -qiF "$pattern"; then
+        block "Blocked by devcontainer-policy-blocker: firewall commands are not allowed. The network firewall is a security boundary."
+    fi
+done
+
 # --- GitHub shared state mutations (tiers 0/1/2 only, allowed in tier 3) ---
 if [ "$TIER" != "3" ]; then
     BLOCKED_GH_MUTATIONS=(
diff --git a/.claude/hooks/firewall-edit-blocker.sh b/.claude/hooks/firewall-edit-blocker.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+# PreToolUse hook: Blocks edits to firewall and sudoers files inside devcontainers.
+# The network firewall is a security boundary -- Claude must not weaken it by
+# modifying init-firewall.sh or sudoers configuration.
+# Only active when DEVCONTAINER=true (no-op on bare metal).
+# Exit 2 = block the action, Exit 0 = allow.
+# Requires jq for JSON parsing; degrades gracefully if missing.
+
+if ! command -v jq &>/dev/null; then
+    echo "WARNING: jq not found, firewall-edit-blocker hook disabled" >&2
+    exit 0
+fi
+
+# Only enforce inside devcontainers
+if [ "$DEVCONTAINER" != "true" ]; then
+    exit 0
+fi
+
+INPUT=$(cat)
+TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name // empty')
+
+if [ "$TOOL_NAME" != "Edit" ] && [ "$TOOL_NAME" != "Write" ]; then
+    exit 0
+fi
+
+FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty')
+
+if [ -z "$FILE_PATH" ]; then
+    exit 0
+fi
+
+# Block edits to firewall script
+if echo "$FILE_PATH" | grep -qF "init-firewall.sh"; then
+    jq -n '{"decision":"block","reason":"Blocked by firewall-edit-blocker: editing init-firewall.sh is not allowed. The network firewall is a security boundary."}'
+    exit 2
+fi
+
+# Block edits to sudoers files
+if echo "$FILE_PATH" | grep -qF "sudoers"; then
+    jq -n '{"decision":"block","reason":"Blocked by firewall-edit-blocker: editing sudoers files is not allowed. Sudo permissions are a security boundary."}'
+    exit 2
+fi
+
+exit 0
diff --git a/.claude/settings.json b/.claude/settings.json
@@ -31,7 +31,9 @@
     "deny": [
       "Bash(gh secret *)", "Bash(gh auth *)", "Bash(gh ssh-key *)", "Bash(gh gpg-key *)",
       "Bash(git clean *)", "Bash(git config *)",
-      "Bash(uv self *)"
+      "Bash(uv self *)",
+      "Bash(*iptables *)", "Bash(*ip6tables *)", "Bash(*ipset *)",
+      "Bash(*nft *)", "Bash(*init-firewall*)"
     ],
     "ask": [
       "Bash(python *)", "Bash(uv run python *)",
@@ -55,7 +57,10 @@
       },
       {
         "matcher": "Edit|Write",
-        "hooks": [{"type": "command", "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/unicode-injection-scanner.sh"}]
+        "hooks": [
+          {"type": "command", "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/unicode-injection-scanner.sh"},
+          {"type": "command", "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/firewall-edit-blocker.sh"}
+        ]
       }
     ],
     "PostToolUse": [
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -47,7 +47,8 @@
   "containerEnv": {
     "CLAUDE_CONFIG_DIR": "/home/vscode/.claude",
     "POWERLEVEL9K_DISABLE_GITSTATUS": "true",
-    "PERMISSION_TIER": "${localEnv:PERMISSION_TIER:2}"
+    "PERMISSION_TIER": "${localEnv:PERMISSION_TIER:2}",
+    "FIREWALL_ALLOW_INBOUND": "${localEnv:FIREWALL_ALLOW_INBOUND:true}"
   },
   "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=delegated",
   "workspaceFolder": "/workspace",
diff --git a/.devcontainer/init-firewall.sh b/.devcontainer/init-firewall.sh
@@ -5,6 +5,12 @@ IFS=$'\n\t'
 # Network security firewall for devcontainer.
 # Restricts egress to: PyPI, GitHub, Anthropic/Claude, VS Code, uv/Astral.
 # Uses ipset with aggregated CIDR ranges for reliable filtering.
+# FIREWALL_ALLOW_INBOUND (default: true) controls inbound filtering.
+# When true, INPUT chain is left permissive (Docker handles inbound isolation).
+# When false, strict INPUT DROP policy is applied.
+
+ALLOW_INBOUND="${FIREWALL_ALLOW_INBOUND:-true}"
+echo "Inbound firewall mode: $([ "$ALLOW_INBOUND" = "true" ] && echo "permissive (Docker handles isolation)" || echo "strict (INPUT DROP)")"
 
 echo "iptables version: $(iptables --version)"
 if iptables_path="$(command -v iptables 2>/dev/null)"; then
@@ -48,10 +54,14 @@ fi
 
 # Allow DNS and localhost before any restrictions
 iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
-iptables -A INPUT -p udp --sport 53 -j ACCEPT
+if [ "$ALLOW_INBOUND" != "true" ]; then
+    iptables -A INPUT -p udp --sport 53 -j ACCEPT
+fi
 iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
 iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
-iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
+if [ "$ALLOW_INBOUND" != "true" ]; then
+    iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
+fi
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT
 
@@ -119,7 +129,9 @@ fi
 HOST_NETWORK=$(echo "$HOST_IP" | sed "s/\.[0-9]*$/.0\/24/")
 echo "Host network detected as: $HOST_NETWORK"
 
-iptables -A INPUT -s "$HOST_NETWORK" -j ACCEPT
+if [ "$ALLOW_INBOUND" != "true" ]; then
+    iptables -A INPUT -s "$HOST_NETWORK" -j ACCEPT
+fi
 iptables -A OUTPUT -d "$HOST_NETWORK" -j ACCEPT
 
 # Block all IPv6 traffic (firewall is IPv4-only)
@@ -130,7 +142,9 @@ ip6tables -A INPUT -i lo -j ACCEPT 2>/dev/null || true
 ip6tables -A OUTPUT -o lo -j ACCEPT 2>/dev/null || true
 
 # Allow established connections
-iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+if [ "$ALLOW_INBOUND" != "true" ]; then
+    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+fi
 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 # Allow traffic to whitelisted domains
@@ -140,11 +154,13 @@ iptables -A OUTPUT -m set --match-set allowed-domains dst -j ACCEPT
 iptables -A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
 
 # Set default policies AFTER all ACCEPT rules (prevents lockout on partial failure)
-iptables -P INPUT DROP
+if [ "$ALLOW_INBOUND" != "true" ]; then
+    iptables -P INPUT DROP
+fi
 iptables -P FORWARD DROP
 iptables -P OUTPUT DROP
 
-echo "Firewall configuration complete"
+echo "Firewall configuration complete (inbound: $([ "$ALLOW_INBOUND" = "true" ] && echo "permissive" || echo "strict"))"
 
 # --- Verification ---
 echo "Verifying firewall rules..."
diff --git a/.devcontainer/permissions/tier1-assisted.json b/.devcontainer/permissions/tier1-assisted.json
@@ -24,7 +24,9 @@
       "Bash(*gh pr merge *)",
       "Bash(*gh workflow run *)", "Bash(*gh workflow enable *)", "Bash(*gh workflow disable *)",
       "Bash(*gh issue create *)", "Bash(*gh issue close *)", "Bash(*gh issue edit *)",
-      "Bash(*terraform *)"
+      "Bash(*terraform *)",
+      "Bash(*iptables *)", "Bash(*ip6tables *)", "Bash(*ipset *)",
+      "Bash(*nft *)", "Bash(*init-firewall*)", "Bash(*sudo *)"
     ]
   },
   "enabledPlugins": {
@@ -41,7 +43,10 @@
       },
       {
         "matcher": "Edit|Write",
-        "hooks": [{"type": "command", "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/unicode-injection-scanner.sh"}]
+        "hooks": [
+          {"type": "command", "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/unicode-injection-scanner.sh"},
+          {"type": "command", "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/firewall-edit-blocker.sh"}
+        ]
       }
     ],
     "PostToolUse": [
diff --git a/.devcontainer/permissions/tier2-autonomous.json b/.devcontainer/permissions/tier2-autonomous.json
@@ -23,7 +23,9 @@
       "Bash(*cargo install *)", "Bash(*go install *)", "Bash(*gem install *)",
       "Bash(*uv tool install *)", "Bash(*uv tool *)",
       "Bash(*apt install *)", "Bash(*apt-get install *)", "Bash(*dpkg -i *)",
-      "Bash(*snap install *)", "Bash(*brew install *)"
+      "Bash(*snap install *)", "Bash(*brew install *)",
+      "Bash(*iptables *)", "Bash(*ip6tables *)", "Bash(*ipset *)",
+      "Bash(*nft *)", "Bash(*init-firewall*)", "Bash(*sudo *)"
     ]
   },
   "enabledPlugins": {
@@ -40,7 +42,10 @@
       },
       {
         "matcher": "Edit|Write",
-        "hooks": [{"type": "command", "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/unicode-injection-scanner.sh"}]
+        "hooks": [
+          {"type": "command", "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/unicode-injection-scanner.sh"},
+          {"type": "command", "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/firewall-edit-blocker.sh"}
+        ]
       }
     ],
     "PostToolUse": [
diff --git a/.devcontainer/permissions/tier3-full-trust.json b/.devcontainer/permissions/tier3-full-trust.json
@@ -12,7 +12,9 @@
       "Bash(*docker run --privileged *)",
       "Bash(*docker run --cap-add=ALL *)",
       "Bash(*docker run --pid=host *)",
-      "Bash(*docker run --network=host *)"
+      "Bash(*docker run --network=host *)",
+      "Bash(*iptables *)", "Bash(*ip6tables *)", "Bash(*ipset *)",
+      "Bash(*nft *)", "Bash(*init-firewall*)", "Bash(*sudo *)"
     ]
   },
   "enabledPlugins": {
@@ -29,7 +31,10 @@
       },
       {
         "matcher": "Edit|Write",
-        "hooks": [{"type": "command", "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/unicode-injection-scanner.sh"}]
+        "hooks": [
+          {"type": "command", "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/unicode-injection-scanner.sh"},
+          {"type": "command", "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/firewall-edit-blocker.sh"}
+        ]
       }
     ],
     "PostToolUse": [
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -7,11 +7,12 @@ Use `/sync` before starting work, `/design` to formalize a plan, `/done` when fi
 ## Security
 
 - **Real-time scanning**: The `security-guidance` plugin runs automatically during code editing, warning about command injection, eval/exec, pickle deserialization, XSS, and os.system() usage
-- **Runtime hooks**: 3 base security hooks run automatically via `.claude/hooks/` (+ 1 devcontainer-only policy hook):
+- **Runtime hooks**: 4 base security hooks run automatically via `.claude/hooks/` (+ 1 devcontainer-only policy hook):
   - `dangerous-actions-blocker.sh` (PreToolUse/Bash): blocks `rm -rf`, `sudo`, `DROP DATABASE`, `git push --force`, secrets in args
   - `output-secrets-scanner.sh` (PostToolUse/Bash): warns if command output contains API keys, tokens, private keys, or DB URLs
   - `unicode-injection-scanner.sh` (PreToolUse/Edit|Write): blocks zero-width chars, RTL overrides, ANSI escapes, null bytes
-  - `devcontainer-policy-blocker.sh` (PreToolUse/Bash, devcontainer only): blocks tool installation, publishing, supply-chain piping, and tier-dependent GH/infra commands
+  - `firewall-edit-blocker.sh` (PreToolUse/Edit|Write, devcontainer only): blocks edits to `init-firewall.sh` and sudoers files
+  - `devcontainer-policy-blocker.sh` (PreToolUse/Bash, devcontainer only): blocks tool installation, publishing, supply-chain piping, firewall commands, and tier-dependent GH/infra commands
 - **Secrets handling**: Never commit API keys, tokens, passwords, or private keys -- use environment variables or `.env` files (which are gitignored)
 - **Unsafe operations**: Avoid `eval`, `exec`, `pickle.loads`, `subprocess(shell=True)`, and `yaml.load` without SafeLoader in production code. If required, document the justification in a code comment
 - **Code review**: The code-reviewer agent checks for logic-level security issues (authorization bypass, TOCTOU, data exposure) that static pattern matching cannot catch
diff --git a/docs/DECISIONS.md b/docs/DECISIONS.md
@@ -172,3 +172,15 @@ When a decision is superseded or obsolete, delete it (git history preserves the
 | GitHub API via curl (`curl -H "Authorization: ..." https://api.github.com/.../merge`) | Blocking curl to github.com is fragile and breaks legitimate web fetching. The hook already blocks commands containing `GH_TOKEN=` as a literal argument. | Use fine-grained PATs with minimal scopes. CLAUDE.md instructs Claude to use `gh` CLI, not raw API calls. Token scoping is the real control. |
 | Docker not present but deny rules exist | Docker is not installed in the current template container. Deny rules exist as defense-in-depth for users who add Docker-in-Docker later. | If Docker-in-Docker is added, the deny list should be revisited (add `-v` and `--mount` volume escape patterns). |
 | Whitelisted domains as exfil channels | `github.com` is whitelisted for git/gh operations. A compromised agent could theoretically exfiltrate via gist creation or issue comments. | Token scoping (no gist/issue create permission) + GH mutation deny rules in Tier 2. Tier 3 accepts this risk explicitly. |
+
+## 2026-03-15: Devcontainer Firewall Inbound Relaxation and Tamper Protection
+
+**Request**: Fix two firewall problems: (1) strict inbound filtering blocks legitimate dev server use cases unnecessarily, (2) Claude can tamper with the firewall via iptables commands or by editing init-firewall.sh.
+
+**Decisions**:
+- Default to permissive inbound (`FIREWALL_ALLOW_INBOUND=true`) -- the primary threat model is egress (data exfiltration), not inbound; Docker's own network stack handles inbound isolation
+- Opt-in strict inbound via `FIREWALL_ALLOW_INBOUND=false` preserves the original INPUT DROP behavior for users who need it
+- Three-layer tamper protection: deny rules in all tier files + settings.json (Layer A), firewall command patterns in devcontainer-policy-blocker.sh (Layer B), new firewall-edit-blocker.sh hook blocks edits to init-firewall.sh and sudoers (Layer C)
+- Firewall deny rules apply at ALL tiers (not tier-gated) because the firewall is a security boundary, not a workflow convenience
+- `sudo` broadly denied in tier files because the vscode user's only sudoers entry is the firewall script, and Claude should never re-run it
+- firewall-edit-blocker.sh only activates when `DEVCONTAINER=true` -- no-op on bare metal where users own their own firewall
diff --git a/docs/DEVCONTAINER_PERMISSIONS.md b/docs/DEVCONTAINER_PERMISSIONS.md
@@ -21,7 +21,8 @@ Regardless of tier, these layers provide defense-in-depth:
 - **dangerous-actions-blocker.sh**: Blocks rm -rf, sudo, force push, DROP DATABASE, secrets in args
 - **output-secrets-scanner.sh**: Warns on leaked credentials in command output
 - **unicode-injection-scanner.sh**: Blocks zero-width chars, RTL overrides in file content
-- **devcontainer-policy-blocker.sh**: Catches denied patterns in chained commands
+- **firewall-edit-blocker.sh**: Blocks edits to `init-firewall.sh` and sudoers files
+- **devcontainer-policy-blocker.sh**: Catches denied patterns in chained commands (including firewall commands)
 - **Base deny rules (settings.json)**: gh secret/auth/ssh-key/gpg-key, git clean/config, uv self
 
 ## Denied Commands and Approved Alternatives
@@ -44,6 +45,9 @@ Regardless of tier, these layers provide defense-in-depth:
 | `terraform *` | Ask the user to run terraform | Could modify cloud infrastructure |
 | `docker run --privileged` | Use `docker run` without `--privileged` | Container escape vector |
 | `curl ... \| bash` / `wget ... \| sh` | Do not pipe remote scripts. Add to Dockerfile instead. | Supply-chain attack vector |
+| `iptables` / `ip6tables` / `ipset` / `nft` | Not allowed -- firewall is a security boundary | Firewall tampering would bypass egress restrictions |
+| `sudo *` | Not allowed | Only sudoers entry is the firewall script; Claude should never re-run it |
+| Editing `init-firewall.sh` | Not allowed | Modifying the firewall script could weaken egress restrictions on rebuild |
 | `cd path && command` | Use absolute paths: `command /absolute/path` | Chained commands bypass glob-based permission checks |
 
 ## Tier Comparison
@@ -63,6 +67,8 @@ Regardless of tier, these layers provide defense-in-depth:
 | Tool installation | deny | deny | auto |
 | Docker (non-escape) | ask | auto | auto |
 | Docker escape flags | deny | deny | deny |
+| Firewall commands | deny | deny | deny |
+| sudo | deny | deny | deny |
 | Terraform | deny | deny | auto |
 
 **Note**: With `Bash(*)` (Tier 2/3), there are no "ask" prompts for bash. Commands either execute (allow) or are hard-blocked (deny).
@@ -89,3 +95,15 @@ export PERMISSION_TIER=1  # or 2, 3
 ```
 
 The tier is applied during `onCreateCommand` by copying the corresponding file to `.claude/settings.local.json`.
+
+## Inbound Firewall
+
+By default, the devcontainer firewall only restricts **egress** (outbound) traffic. Inbound traffic is left permissive because Docker's own network stack already provides inbound isolation, and strict inbound rules prevent legitimate use cases like exposing dev servers to LAN devices or other containers.
+
+To enable strict inbound filtering (INPUT DROP policy), set `FIREWALL_ALLOW_INBOUND=false`:
+
+```bash
+export FIREWALL_ALLOW_INBOUND=false
+```
+
+When strict inbound is enabled, only these sources are accepted: loopback, host network, DNS/SSH responses, and established/related connections.
diff --git a/tests/test_hooks.py b/tests/test_hooks.py
@@ -21,6 +21,7 @@
 
 DEVCONTAINER_HOOKS = [
     "devcontainer-policy-blocker.sh",
+    "firewall-edit-blocker.sh",
 ]
 
 ALL_HOOKS = SECURITY_HOOKS + PRODUCTIVITY_HOOKS + DEVCONTAINER_HOOKS
@@ -205,3 +206,37 @@ def test_test_on_change_never_blocks(self) -> None:
     def test_test_on_change_emits_system_message_on_failure(self) -> None:
         content = (HOOKS_DIR / "test-on-change.sh").read_text(encoding="utf-8")
         assert "systemMessage" in content, "test-on-change should emit systemMessage for test failures"
+
+
+class TestFirewallEditBlockerBehavior:
+    """Verify firewall edit blocker hook has correct patterns."""
+
+    def test_firewall_edit_blocker_exits_2_for_blocks(self) -> None:
+        content = (HOOKS_DIR / "firewall-edit-blocker.sh").read_text(encoding="utf-8")
+        assert "exit 2" in content, "firewall-edit-blocker must exit 2 to block actions"
+
+    def test_firewall_edit_blocker_checks_edit_and_write(self) -> None:
+        content = (HOOKS_DIR / "firewall-edit-blocker.sh").read_text(encoding="utf-8")
+        assert '"Edit"' in content, "firewall-edit-blocker should check Edit tool"
+        assert '"Write"' in content, "firewall-edit-blocker should check Write tool"
+
+    def test_firewall_edit_blocker_blocks_init_firewall(self) -> None:
+        content = (HOOKS_DIR / "firewall-edit-blocker.sh").read_text(encoding="utf-8")
+        assert "init-firewall.sh" in content, "firewall-edit-blocker should block init-firewall.sh"
+
+    def test_firewall_edit_blocker_blocks_sudoers(self) -> None:
+        content = (HOOKS_DIR / "firewall-edit-blocker.sh").read_text(encoding="utf-8")
+        assert "sudoers" in content, "firewall-edit-blocker should block sudoers files"
+
+    def test_firewall_edit_blocker_checks_devcontainer_env(self) -> None:
+        content = (HOOKS_DIR / "firewall-edit-blocker.sh").read_text(encoding="utf-8")
+        assert "DEVCONTAINER" in content, "firewall-edit-blocker should check DEVCONTAINER env var"
+
+
+class TestPolicyBlockerFirewallPatterns:
+    """Verify policy blocker blocks firewall commands."""
+
+    def test_policy_blocker_blocks_firewall_commands(self) -> None:
+        content = (HOOKS_DIR / "devcontainer-policy-blocker.sh").read_text(encoding="utf-8")
+        for pattern in ["iptables ", "ip6tables ", "ipset ", "nft ", "init-firewall"]:
+            assert pattern in content, f"devcontainer-policy-blocker missing firewall pattern: {pattern}"
