anthropics · igorkofman · Jun 13, 2025 · Jun 12, 2025 · Jun 12, 2025
diff --git a/src/claude-code/NOTES.md b/src/claude-code/NOTES.md
@@ -35,37 +35,3 @@ If your container already has Node.js installed (for example, a container based
 
 When using with containers that have nvm pre-installed, you can use the Claude Code feature directly, and it will use the existing Node.js installation.
 
-## Optional Network Firewall
-
-This feature includes a network firewall script that you can optionally enable to restrict outbound traffic to only essential services (GitHub, npm registry, Anthropic API, etc.). This improves security by limiting the container's network access.
-
-The firewall script is installed but not enabled by default. To enable the firewall, add these to your devcontainer.json:
-
-```json
-"runArgs": [
-    "--cap-add=NET_ADMIN",
-    "--cap-add=NET_RAW"
-],
-"postCreateCommand": "sudo /usr/local/bin/init-firewall.sh"
-```
-
-The firewall will be initialized when the container starts, blocking all outbound connections except to essential services. The allowed services include:
-
-- GitHub API, Git, and Web services
-- npm registry
-- Anthropic API
-- Sentry.io
-- Statsig services
-
-All other outbound connections will be blocked, providing an additional layer of security for your development environment.
-
-### How the Firewall Works
-
-The firewall uses iptables and ipset to:
-
-1. Create a whitelist of allowed domains and IP addresses
-2. Allow all established connections and responses
-3. Allow outbound DNS and SSH
-4. Block all other outbound connections
-
-The script automatically resolves and adds the IP addresses for essential services to the whitelist. If you need to add additional domains to the allowed list, you can modify the firewall script at `/usr/local/bin/init-firewall.sh`.
diff --git a/src/claude-code/init-firewall.sh b/src/claude-code/init-firewall.sh
diff --git a/src/claude-code/install.sh b/src/claude-code/install.sh
@@ -87,61 +87,6 @@ install_nodejs() {
     fi
 }
 
-# Map of package manager to required firewall packages
-get_firewall_packages() {
-    local pkg_manager="$1"
-
-    case "$pkg_manager" in
-        apt) echo "iptables ipset dnsutils jq curl aggregate" ;;
-        apk) echo "iptables ipset bind-tools jq curl aggregate" ;;
-        dnf|yum) echo "iptables ipset bind-utils jq curl aggregate" ;;
-        *) echo "" ;;
-    esac
-}
-
-# Function to install firewall packages
-install_firewall_packages() {
-    local pkg_manager="$1"
-    local packages=$(get_firewall_packages "$pkg_manager")
-
-    if [ -z "$packages" ]; then
-        echo "WARNING: Could not determine firewall packages for this system type"
-        return 1
-    fi
-
-    echo "Installing firewall packages: $packages"
-    install_packages "$pkg_manager" $packages
-}
-
-# Function to set up firewall script
-setup_firewall_script() {
-    local script_path="/usr/local/bin/init-firewall.sh"
-
-    echo "Setting up firewall initialization script..."
-
-    # Create destination directory and copy the script
-    mkdir -p /usr/local/bin
-    cp "$(dirname "$0")/init-firewall.sh" "$script_path"
-    chmod +x "$script_path"
-
-    cat <<EOF
-
-Optional network firewall script installed at $script_path
-
-To enable the firewall, add these to your devcontainer.json:
-
-  "runArgs": [
-    "--cap-add=NET_ADMIN",
-    "--cap-add=NET_RAW"
-  ],
-  "postCreateCommand": "sudo $script_path"
-
-The firewall restricts outbound connections to only essential services
-like GitHub, npm registry, and the Anthropic API.
-
-EOF
-}
-
 # Function to install Claude Code CLI
 install_claude_code() {
     echo "Installing Claude Code CLI..."
@@ -181,10 +126,6 @@ main() {
     PKG_MANAGER=$(detect_package_manager)
     echo "Detected package manager: $PKG_MANAGER"
 
-    # Install firewall packages (always install but don't activate)
-    echo "Installing optional firewall packages..."
-    install_firewall_packages "$PKG_MANAGER" || echo "Firewall package installation failed, but continuing..."
-
     # Try to install Node.js if it's not available
     if ! command -v node >/dev/null || ! command -v npm >/dev/null; then
         echo "Node.js or npm not found, attempting to install automatically..."
@@ -193,9 +134,6 @@ main() {
 
     # Install Claude Code CLI
     install_claude_code || exit 1
-
-    # Always set up the firewall script, but don't execute it
-    setup_firewall_script
 }
 
 # Execute main function

diff --git a/test/claude-code/scenarios.json b/test/claude-code/scenarios.json
@@ -5,17 +5,5 @@
             "ghcr.io/devcontainers/features/node:1": {},
             "claude-code": {}
         }
-    },
-    "with-firewall": {
-        "image": "mcr.microsoft.com/devcontainers/base:ubuntu",
-        "features": {
-            "ghcr.io/devcontainers/features/node:1": {},
-            "claude-code": {}
-        },
-        "runArgs": [
-            "--cap-add=NET_ADMIN",
-            "--cap-add=NET_RAW"
-        ],
-        "postCreateCommand": "sudo /usr/local/bin/init-firewall.sh"
     }
 }
diff --git a/test/claude-code/test.sh b/test/claude-code/test.sh
@@ -11,9 +11,5 @@ check "npm version" npm --version
 check "claude cli installed" command -v claude
 check "claude version" claude --version
 
-# The firewall script should always exist now
-check "firewall script exists" test -f /usr/local/bin/init-firewall.sh
-check "firewall script is executable" test -x /usr/local/bin/init-firewall.sh
-
 # Report results
 reportResults
diff --git a/test/claude-code/with-firewall.sh b/test/claude-code/with-firewall.sh