Mathieu Virbel
481616455a
Three issues prevented transparent proxying from working end-to-end: 1. bwrap dropped CAP_NET_ADMIN before exec, so ip tuntap/link commands failed inside the sandbox. Add --cap-add CAP_NET_ADMIN and CAP_NET_BIND_SERVICE when transparent proxy is active. 2. tun2socks only offered SOCKS5 no-auth (method 0x00), but many proxies (e.g. gost) require username/password auth (method 0x02). Pass through credentials from the proxy URL so tun2socks offers both auth methods. 3. DNS resolution failed because UDP DNS needs SOCKS5 UDP ASSOCIATE which most proxies don't support. Add --dns flag and DnsBridge that routes DNS queries from the sandbox through a Unix socket to a host-side DNS server. Falls back to TCP relay through the tunnel when no --dns is set. Also brings up loopback interface (ip link set lo up) inside the network namespace so socat can bind to 127.0.0.1.
Fence wraps commands in a sandbox that blocks network access by default and restricts filesystem operations based on configurable rules. It's most useful for running semi-trusted code (package installs, build scripts, CI jobs, unfamiliar repos) with controlled side effects, and it can also complement AI coding agents as defense-in-depth.
# Block all network access (default)
fence curl https://example.com # → 403 Forbidden
# Allow specific domains
fence -t code npm install # → uses 'code' template with npm/pypi/etc allowed
# Block dangerous commands
fence -c "rm -rf /" # → blocked by command deny rules
You can also think of Fence as a permission manager for your CLI agents. Fence works with popular coding agents like Claude Code, Codex, Gemini CLI, Cursor Agent, OpenCode, Factory (Droid) CLI, etc. See agents.md for more details.
Install
macOS / Linux:
curl -fsSL https://raw.githubusercontent.com/Use-Tusk/fence/main/install.sh | sh
Other installation methods
Go install:
go install github.com/Use-Tusk/fence/cmd/fence@latest
Build from source:
git clone https://github.com/Use-Tusk/fence
cd fence
go build -o fence ./cmd/fence
Additional requirements for Linux:
bubblewrap(for sandboxing)socat(for network bridging)bpftrace(optional, for filesystem violation visibility when monitoring with-m)
Usage
Basic
# Run command with all network blocked (no domains allowed by default)
fence curl https://example.com
# Run with shell expansion
fence -c "echo hello && ls"
# Enable debug logging
fence -d curl https://example.com
# Use a template
fence -t code -- claude # Runs Claude Code using `code` template config
# Monitor mode (shows violations)
fence -m npm install
# Show all commands and options
fence --help
Configuration
Fence reads from ~/.config/fence/fence.json by default (or ~/Library/Application Support/fence/fence.json on macOS).
{
"extends": "code",
"network": { "allowedDomains": ["private.company.com"] },
"filesystem": { "allowWrite": ["."] },
"command": { "deny": ["git push", "npm publish"] }
}
Use fence --settings ./custom.json to specify a different config.
Import from Claude Code
fence import --claude --save
Features
- Network isolation - All outbound blocked by default; allowlist domains via config
- Filesystem restrictions - Control read/write access paths
- Command blocking - Deny dangerous commands like
rm -rf /,git push - SSH Command Filtering - Control which hosts and commands are allowed over SSH
- Built-in templates - Pre-configured rulesets for common workflows
- Violation monitoring - Real-time logging of blocked requests (
-m) - Cross-platform - macOS (sandbox-exec) + Linux (bubblewrap)
Fence can be used as a Go package or CLI tool.
Documentation
- Index
- Quickstart Guide
- Configuration Reference
- Security Model
- Architecture
- Library Usage (Go)
- Examples
Attribution
Inspired by Anthropic's sandbox-runtime.