openclaw security

Why Every OpenClaw Agent Needs a Dedicated Firewall (And Why Most Don't Have One)

Itamar Malul

7 min read
Why Every OpenClaw Agent Needs a Dedicated Firewall (And Why Most Don't Have One)

Running an OpenClaw agent on a shared or unprotected server is like leaving your office door unlocked in a building anyone can walk into. The openclaw agent firewall question isn't academic. It's the difference between an agent that works quietly and securely in the background, and one that's exposed to port scanners, brute force attempts, and network-level intrusions 24 hours a day.

Most platforms that host OpenClaw agents skip the firewall entirely. ClawBud doesn't. It's the only OpenClaw platform in the world that automatically provisions a dedicated UFW firewall for every single agent, on every plan.

This article explains why that matters, what happens without it, and why no other platform has bothered to solve this problem yet.

What Is OpenClaw, and Why Does Its Network Exposure Matter?

OpenClaw is an autonomous agent framework. When you run an OpenClaw agent, it operates as a persistent process on a server, communicating with external tools, APIs, browsers, and services around the clock. That persistence is the point. It's also the risk.

Every OpenClaw agent runs on a machine that has an IP address, open ports, and a network stack. Without proper OpenClaw security controls, that machine is reachable by anyone on the internet who knows how to run a port scanner. Tools like Shodan index millions of exposed servers every day. If your agent's server has unnecessary ports open, it will be found.

The OpenClaw framework itself listens on port 18789 by default for its internal API. If that port is exposed publicly without authentication controls, an attacker who reaches it can potentially interact with your agent's core interface, inject commands, or disrupt its operation entirely.

The Port Problem: What an Unprotected OpenClaw Server Looks Like

When a server runs without a firewall, every port the operating system opens is reachable from the public internet. A typical OpenClaw deployment without firewall controls might expose:

  • Port 22 (SSH): Required for admin access, but should be hardened
  • Port 80/443 (HTTP/HTTPS): Standard web traffic
  • Port 18789 (OpenClaw API): Should be internal-only, not public
  • Dozens of ephemeral ports: Opened by running processes, databases, monitoring tools, and services the agent interacts with

According to NIST's guidelines on network security, the principle of least privilege applies directly to network access: only expose what you explicitly need, and block everything else by default.

Without a firewall enforcing this, you're relying on each individual service to secure itself. That's a bad bet. Services have vulnerabilities. Misconfigurations happen. Default credentials get left in place. A firewall is the last line of defense that catches all of it at the network layer, before a bad actor even reaches the application.

Without a Firewall vs. With Dedicated UFW: A Direct Comparison

Here's what running an OpenClaw agent looks like in each scenario:

Without a Firewall

  • All ports that any process opens become publicly reachable
  • Port scanners (automated and manual) can enumerate your agent's attack surface in seconds
  • OpenClaw's internal API port (18789) may be accessible from the public internet
  • Brute force attacks on SSH succeed at a much higher rate when not rate-limited at the network layer
  • If a dependency or integration opens an unexpected port, it's immediately exposed
  • You have no audit trail of blocked connection attempts
  • Compromise of one service can pivot to your agent's core processes

With Dedicated UFW (ClawBud's Approach)

  • Only four ports open: 22 (SSH), 80 (HTTP), 443 (HTTPS), 18789 (OpenClaw internal)
  • All other inbound connections are dropped at the kernel level before they reach any application
  • Port 18789 is accessible but governed by UFW rules, not left wide open to arbitrary connections
  • Brute force attempts against SSH are stopped before they accumulate
  • New processes that open unexpected ports are automatically blocked at the network layer
  • The attack surface is mathematically minimized

The OWASP Security by Design principles make this point clearly: reduce your attack surface as a first-order security goal, not an afterthought.

Why Prompt Injection and Network Isolation Are Connected

This is the part most discussions skip. OpenClaw agents don't just serve requests. They *make* requests. Your agent reaches out to APIs, browses websites via its integrated Chromium browser, reads external data, and takes actions based on what it finds.

Prompt injection is a real threat in this architecture. A malicious website or API response can attempt to hijack the agent's behavior by embedding instructions in content the agent reads. But the threat doesn't stop at the application layer.

Network isolation through a properly configured firewall limits what your agent can be *made* to reach by a successful injection attempt. If your agent gets compromised at the application layer and an attacker tries to exfiltrate data or call back to a command-and-control server, a strict egress policy makes that far harder.

ClawBud's dedicated VM architecture means your agent runs in complete network isolation from other users' agents. There's no shared network namespace where a compromised neighbor can sniff your traffic or reach your agent's internal ports. Combined with the UFW firewall, this creates genuine defense in depth.

This isn't theoretical. Research from academic security groups studying agentic systems has documented how multi-step agentic workflows create cascading risks when network boundaries aren't enforced.

Why Most OpenClaw Platforms Skip the Firewall

The honest answer is: it's extra work and most platforms cut corners.

Provisioning a dedicated firewall for every agent requires automation. You need tooling that configures UFW correctly at VM creation time, validates the rules, and maintains them across restarts and updates. If you're running a shared hosting model where multiple agents live on one box, a per-agent firewall isn't even possible. Shared hosting means shared network stacks.

This is why ClawBud made the architectural decision to give every agent its own dedicated VM: 4GB RAM, 40GB SSD, 2 vCPU. You can't do per-agent UFW on a shared server. The dedicated infrastructure is what makes the dedicated firewall possible.

When ClawBud provisions your agent, it automatically runs:

`

ufw default deny incoming

ufw default allow outgoing

ufw allow 22/tcp

ufw allow 80/tcp

ufw allow 443/tcp

ufw allow 18789/tcp

ufw enable

`

That's it. Clean. Minimal. Applied before your agent ever starts running. No manual configuration required. No hoping the platform got it right. It's done.

Check the plans page at clawbud.ai/plans to see how this is included across all tiers, from BYOK at $20/mo to Pro at $79/mo.

The ClawBud Difference: Enterprise OpenClaw Security Built In

ClawBud is built specifically for enterprise OpenClaw agents. The firewall is one piece of a broader security architecture:

Dedicated VM per agent. No shared resources, no shared network. Your agent is isolated at the infrastructure level.

Dedicated Chromium browser. When your agent browses the web, it uses an isolated Chromium instance. Browsing activity from one agent cannot affect another.

1-click install. The entire stack, including UFW configuration, deploys automatically. You don't need to be a sysadmin to run a secure OpenClaw agent.

Private OpenClaw server security by default. Every ClawBud agent gets the same security baseline regardless of plan. Security isn't a premium add-on.

Compare this to the alternatives at clawbud.ai/compare. The gap is significant.

What to Look for When Evaluating OpenClaw Hosting Security

If you're comparing platforms, ask these questions directly:

  1. Does each agent get its own VM or is it shared hosting? Shared hosting makes per-agent firewalls impossible.
  2. Is a firewall configured automatically, or do you have to set it up yourself? Manual firewall configuration is a security risk waiting to happen.
  3. Which ports are open by default? If they can't answer precisely, assume the worst.
  4. Is network isolation enforced between agents? If multiple customers share a server, their agents can potentially reach each other's internal services.
  5. What happens if a process opens an unexpected port? With UFW's deny-by-default policy, it gets blocked automatically. Without UFW, it's immediately exposed.

ClawBud answers all five questions correctly. Most alternatives don't answer them at all.

FAQ: OpenClaw Agent Firewall

Q: Does every ClawBud plan include the dedicated UFW firewall?

Yes. BYOK ($20/mo), Starter ($39/mo), and Pro ($79/mo) all include automatic UFW configuration on a dedicated VM. The firewall isn't a paid upgrade. It's the baseline for every agent.

Q: Can I run my own OpenClaw agent on a VPS and configure UFW myself?

You can, and if you do, you should absolutely configure UFW before your agent goes live. The risk with self-managed setups is human error: forgetting to run UFW enable, misconfiguring rules, or having UFW reset after a kernel update. ClawBud automates this so it can't be accidentally skipped.

Q: Why is port 18789 in the allowed list if it's the OpenClaw internal API?

Port 18789 is what the OpenClaw agent uses for its internal API communication. It needs to be reachable for the agent to function. Including it in the UFW allow-list means it's open, but all *other* ports are blocked. The goal isn't to make 18789 unreachable. The goal is to ensure nothing else gets through that shouldn't.

Q: Does the dedicated firewall protect against application-layer attacks?

A network firewall operates at the network layer and controls which connections can be established. It doesn't inspect application-layer payloads. For full security, the firewall works alongside other controls: authentication on the OpenClaw interface, prompt injection mitigations at the application level, and secure API key management. ClawBud's architecture handles the network layer. The other layers benefit from the reduced attack surface that the firewall creates.

Conclusion: Firewall First, Everything Else Second

Running an OpenClaw agent without a dedicated firewall is a security gap that will eventually get exploited. The question isn't whether unprotected servers get probed. They do, constantly, automatically, by bots that never sleep.

OpenClaw agent firewall configuration isn't complicated when it's done right. The problem is that most platforms don't do it at all. They skip the dedicated VM. They skip the per-agent UFW setup. They save money on infrastructure and pass the security risk to you.

ClawBud made a different call. Every agent gets its own VM, its own firewall, and a precisely configured UFW policy that blocks everything except what your agent actually needs. That's what enterprise OpenClaw hosting looks like.

See the full comparison at clawbud.ai/compare or choose your plan at clawbud.ai/plans.

Read more