Network isolation tool for monitoring and restricting HTTP/HTTPS requests from processes.
boundary creates an isolated network environment for target processes, intercepting HTTP/HTTPS traffic through a transparent proxy that enforces user-defined allow rules.
- Process-level network isolation (Linux namespaces)
- HTTP/HTTPS interception with transparent proxy and TLS certificate injection
- Wildcard pattern matching for URL patterns
- Request logging and monitoring
- Linux support
- Default deny-all security model
curl -fsSL https://raw.githubusercontent.com/coder/boundary/main/install.sh | bashFor installation options, manual installation, and release details, see RELEASES.md.
# Allow only requests to github.com
boundary --allow "domain=github.com" -- curl https://github.com
# Allow full access to GitHub issues API, but only GET/HEAD elsewhere on GitHub
boundary \
--allow "domain=github.com path=/api/issues/*" \
--allow "method=GET,HEAD domain=github.com" \
-- npm install
# Default deny-all: everything is blocked unless explicitly allowed
boundary -- curl https://example.com--allow "key=value [key=value ...]"
Keys:
method- HTTP method(s), comma-separated (GET, POST, etc.)domain- Domain/hostname patternpath- URL path pattern(s), comma-separated
boundary --allow "domain=github.com" -- git pull
boundary --allow "domain=*.github.com" -- npm install # GitHub subdomains
boundary --allow "method=GET,HEAD domain=api.github.com" -- curl https://api.github.com
boundary --allow "method=POST domain=api.example.com path=/users,/posts" -- ./app # Multiple paths
boundary --allow "path=/api/v1/*,/api/v2/*" -- curl https://api.example.com/api/v1/usersWildcards: * matches any characters. All traffic is denied unless explicitly allowed.
boundary --log-level info --allow "method=*" -- npm install # Show all requests
boundary --log-level debug --allow "domain=github.com" -- git pull # Debug infoLog Levels: error, warn (default), info, debug
| Platform | Implementation | Privileges |
|---|---|---|
| Linux | Network namespaces + iptables | CAP_NET_ADMIN (or root) |
| macOS | Not supported | - |
| Windows | Not supported | - |
boundary [flags] -- command [args...]
--allow <SPEC> Allow rule (repeatable)
--log-level <LEVEL> Set log level (error, warn, info, debug)
-h, --help Print help
make build # Build for current platform
make build-all # Build for all platforms
make test # Run tests
make test-coverage # Run tests with coverage
make clean # Clean build artifacts
make fmt # Format code
make lint # Lint codeMIT License - see LICENSE file for details.