Network Deny All

What You’ll Learn

Creating a sandbox with allow_internet_access=False (Python) / allowInternetAccess: false (TypeScript)
Verifying blocked outbound traffic by attempting a raw TCP connection
Comparing behavior against a sandbox with default (open) network access
Proper cleanup of multiple sandboxes with try/finally

Prerequisites

Code Walkthrough

Python
TypeScript

The test script attempts a raw TCP connection to 1.1.1.1:80. In a blocked sandbox, socket.connect() raises an exception:

NET_TEST_SCRIPT = """
import socket
try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(5)
    s.connect(("1.1.1.1", 80))
    s.close()
    print("CONNECTED")
except Exception as e:
    print(f"BLOCKED: {e}")
"""

Create a sandbox with internet blocked:

from declaw import Sandbox

blocked_sbx = Sandbox.create(
    template="python", timeout=300, allow_internet_access=False
)
blocked_sbx.files.write("/tmp/net_test.py", NET_TEST_SCRIPT)

result = blocked_sbx.commands.run("python3 /tmp/net_test.py", timeout=15)
print(f"  Output: {result.stdout.strip()}")
# Output: BLOCKED: [Errno 111] Connection refused  (or timed out)

if "BLOCKED" in result.stdout:
    print("  [PASS] Outbound connection was blocked as expected.")

Compare against a sandbox with default (open) network access:

open_sbx = Sandbox.create(template="python", timeout=300)
open_sbx.files.write("/tmp/net_test.py", NET_TEST_SCRIPT)

result = open_sbx.commands.run("python3 /tmp/net_test.py", timeout=15)
# Output: CONNECTED

if "CONNECTED" in result.stdout:
    print("  [PASS] Outbound connection succeeded as expected.")

Create a sandbox with allowInternetAccess: false:

import { Sandbox } from "@declaw/sdk";

const blockedSbx = await Sandbox.create({ allowInternetAccess: false });

Run a Python urllib test inside the blocked sandbox:

const FETCH_CMD = [
  "python3 -c \"",
  "import urllib.request; ",
  "r = urllib.request.urlopen('http://1.1.1.1', timeout=5); ",
  "print(r.status)",
  "\"",
].join("");

let result = await blockedSbx.commands.run(FETCH_CMD, { timeout: 15 });
console.log(`exit_code: ${result.exitCode}`);
console.log(`stdout:\n${result.stdout}`);

if (result.exitCode !== 0) {
  console.log("\n[PASS] Outbound request was blocked as expected.");
}

Compare with an open sandbox (allowInternetAccess defaults to true):

const openSbx = await Sandbox.create();
result = await openSbx.commands.run(FETCH_CMD, { timeout: 15 });
if (result.exitCode === 0) {
  console.log("\n[PASS] Outbound request succeeded as expected.");
}

Expected Output

============================================================
Network Deny All Example
============================================================

--- Creating sandbox with internet access DENIED ---
Sandbox created: sbx_abc123

--- Attempting to connect to 1.1.1.1:80 (should FAIL) ---
  Output: BLOCKED: [Errno 111] Connection refused
  Exit code: 0
  [PASS] Outbound connection was blocked as expected.

------------------------------------------------------------
--- Creating sandbox with internet access ALLOWED ---
Sandbox created: sbx_def456

--- Attempting to connect to 1.1.1.1:80 (should SUCCEED) ---
  Output: CONNECTED
  Exit code: 0
  [PASS] Outbound connection succeeded as expected.

--- Cleaning Up ---
  Sandbox sbx_abc123 killed.
  Sandbox sbx_def456 killed.

============================================================
Done!
============================================================

Getting Started

Commands

Filesystem

Network Policies

PII Protection

Security Features

LLM Providers

Framework Integrations

Agent-in-Sandbox

Real-World Patterns

Security Demos

Network Deny All

What You’ll Learn

Prerequisites

Code Walkthrough

Expected Output

Getting Started

Commands

Filesystem

Network Policies

PII Protection

Security Features

LLM Providers

Framework Integrations

Agent-in-Sandbox

Real-World Patterns

Security Demos

​What You’ll Learn

​Prerequisites

​Code Walkthrough

​Expected Output

What You’ll Learn

Prerequisites

Code Walkthrough

Expected Output