Skip to content
Latchkey

How to Apply Firewall Rules to Self-Hosted Runners

Runners need almost no inbound access and only a short list of outbound hosts, so default-deny both directions.

Deny all inbound (runners poll out to GitHub, so no ingress is needed) and allow outbound only to the GitHub control plane and your package registries. Enforce this at both host and cloud layers.

Steps

  • Block all inbound traffic; runners initiate connections outward.
  • Allow outbound only to GitHub, registries, and required services.
  • Enforce at the cloud security group and on the host firewall.

Default-deny host firewall

Terminal
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out to any port 443 proto tcp   # HTTPS to GitHub + registries
sudo ufw allow out 53                           # DNS
sudo ufw enable

Gotchas

  • Opening SSH inbound to the runner adds an attack path it does not need.
  • Broad outbound 443 to anywhere still allows exfiltration; layer harden-runner egress rules on top.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →