How to Apply Firewall Rules to Self-Hosted Runners
Runners need almost no inbound access and only a short list of outbound hosts, so default-deny both directions.
Deny all inbound (runners poll out to GitHub, so no ingress is needed) and allow outbound only to the GitHub control plane and your package registries. Enforce this at both host and cloud layers.
Steps
- Block all inbound traffic; runners initiate connections outward.
- Allow outbound only to GitHub, registries, and required services.
- Enforce at the cloud security group and on the host firewall.
Default-deny host firewall
Terminal
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out to any port 443 proto tcp # HTTPS to GitHub + registries
sudo ufw allow out 53 # DNS
sudo ufw enableGotchas
- Opening SSH inbound to the runner adds an attack path it does not need.
- Broad outbound
443 to anywherestill allows exfiltration; layer harden-runner egress rules on top.
Related guides
How to Restrict Runner Network Egress With harden-runnerLock down outbound network traffic from a GitHub Actions runner using step-security/harden-runner in block mo…
How to Block the Cloud Metadata Endpoint on RunnersPrevent SSRF credential theft by blocking the cloud instance metadata endpoint (169.254.169.254) from GitHub…