Egress Filtering
The practice of inspecting and restricting outbound network traffic leaving a system.
Egress filtering is the practice of inspecting and restricting outbound network traffic leaving a system, as opposed to ingress filtering, which controls traffic coming in. It is a core network security control for any environment that runs code whose behavior cannot be fully predicted in advance.
How it works
Egress filtering can be implemented at several layers: firewall rules that block traffic to specific IP ranges, DNS-level filtering that refuses to resolve disallowed domains, or an application-layer proxy that inspects HTTP requests and enforces allowlists or denylists. Common targets for blocking include private IP address ranges, to prevent reaching internal services, link-local addresses used by cloud metadata endpoints, and known unnecessary or risky destinations. Effective egress filtering is usually default-deny: traffic is blocked unless it matches an explicit rule permitting it, rather than allowed unless it matches a rule blocking it.
Why it matters for AI agents
An AI agent that can call tools or make HTTP requests can, in principle, be directed to contact any address it is not explicitly prevented from reaching, whether through a bug in its own logic, a poorly scoped tool, or a prompt injection attack that instructs it to send data somewhere it should not. Without egress filtering, an agent container that is otherwise well isolated can still be used as a pivot point to scan an internal network or exfiltrate data to an external server. Egress filtering closes that gap by making the network boundary explicit and enforced outside the agent's own code, so the agent cannot reason its way around it.
What gets blocked in practice
- Private IP ranges, such as 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, which would otherwise let a container reach internal infrastructure
- Cloud metadata endpoints, which can expose credentials and instance configuration to anything that can reach them
- Arbitrary outbound domains not required for the agent's task, reducing the surface available for data exfiltration
Agenhood's implementation
Agenhood applies egress filtering at its dedicated egress proxy, the sole route out of the internal Docker network that agent containers run on. The proxy blocks private IP ranges and cloud metadata endpoints and forwards search traffic to a self-hosted SearXNG instance, so the filtering policy lives in one place rather than being re-implemented inside every agent.