The open-source security gateway for AI agents. Policy enforcement, threat detection, and compliance-ready audit logging for MCP.
Project description
๐ก๏ธ mcp-firewall
The open-source security gateway for AI agents.
mcp-firewall sits between your MCP client and server, intercepting every tool call with enterprise-grade policy enforcement, real-time threat detection, and compliance-ready audit logging.
AI Agent โโ mcp-firewall โโ MCP Server
โ
Policy Engine
Audit Trail
Threat Feed
Why
AI agents can now execute tools โ read files, run commands, query databases, make HTTP requests. Without guardrails, a single prompt injection can exfiltrate your credentials, execute arbitrary code, and chain tools for privilege escalation.
mcp-firewall is the WAF for AI agents.
Quick Start
pip install mcp-firewall
# Wrap any MCP server with zero config
mcp-firewall wrap -- npx @modelcontextprotocol/server-filesystem /tmp
# Generate a starter policy
mcp-firewall init
Features
๐ Defense-in-Depth Pipeline
Every tool call passes through 8 inbound + 4 outbound security checks:
Inbound (request screening):
- Kill Switch โ Emergency deny-all
- Agent Identity โ RBAC per AI agent
- Rate Limiter โ Per-agent, per-tool, global
- Injection Detector โ 50+ patterns
- Egress Control โ Block SSRF, private IPs, cloud metadata
- Policy Engine โ OPA/Rego + YAML policies
- Chain Detector โ Dangerous tool sequences
- Human Approval โ Optional interactive prompt
Outbound (response scanning):
- Secret Scanner โ API keys, tokens, private keys
- PII Detector โ Email, phone, SSN, IBAN, credit cards
- Exfil Detector โ Embedded URLs, base64, DNS tunneling
- Content Policy โ Custom domain-specific rules
๐ Policy-as-Code
Simple YAML for common rules:
agents:
claude-desktop:
allow: [read_file, search]
deny: [exec, shell, rm]
rate_limit: 100/min
rules:
- name: block-credentials
match: { arguments: { path: "**/.ssh/**" } }
action: deny
Full OPA/Rego for complex policies:
package mcp-firewall.policy
allow {
input.agent == "cursor"
input.tool.name == "read_file"
not sensitive_path(input.tool.arguments.path)
}
๐ Real-Time Dashboard
mcp-firewall wrap --dashboard -- python my_server.py
# โ Dashboard at http://localhost:9090
Live event feed, analytics, alert history, and policy playground.
๐ Signed Audit Trail
Every event is cryptographically signed (Ed25519) with a hash chain for tamper detection. Export to SIEM (CEF/LEEF), Syslog, CSV, or JSON.
mcp-firewall audit verify # Verify chain integrity
mcp-firewall audit export --format cef --output siem.log
๐ Compliance Reports
Auto-generated evidence for regulatory audits:
mcp-firewall report dora # EU Digital Operational Resilience Act
mcp-firewall report finma # Swiss Financial Market Authority
mcp-firewall report soc2 # SOC 2 Type II evidence
๐ฏ Threat Feed
Community-maintained detection rules (like Sigma for SIEM):
mcp-firewall feed update # Pull latest rules
mcp-firewall feed list # Show active rules
Rules detect known-bad patterns: webhook exfiltration, credential harvesting, cloud metadata SSRF, and more.
๐ Built-in Scanner
Pre-deployment security scanning (powered by mcpwn):
mcp-firewall scan -- python my_server.py
Integration
Works with every MCP client โ zero code changes:
{
"mcpServers": {
"filesystem": {
"command": "mcp-firewall",
"args": ["wrap", "--", "npx", "@modelcontextprotocol/server-filesystem", "/home"]
}
}
}
Compatible with: Claude Desktop, Claude Code, Cursor, VS Code, Windsurf, and any MCP client.
Architecture
โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ
โ MCP Client โโโโโโบโ mcp-firewall โโโโโโบโ MCP Server โ
โโโโโโโโโโโโโโโ โ โ โโโโโโโโโโโโโโโ
โ Inbound โโบ Policy โโบ Outboundโ
โ โ โ โ โ
โ โผ โผ โผ โ
โ [Audit] [Alerts] [Metrics] โ
โ โ โ
โ โผ โ
โ [Dashboard] [Reports] โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ--โ
Comparison
| Feature | mcp-firewall | Agent-Wall | LlamaFirewall | MintMCP |
|---|---|---|---|---|
| MCP-native proxy | โ | โ | โ | โ (SaaS) |
| Open source | โ | โ | โ | โ |
| OPA/Rego policies | โ | โ | โ | โ |
| Agent RBAC | โ | โ | โ | โ |
| Signed audit trail | โ | โ | โ | โ |
| Compliance reports | โ | โ | โ | SOC2 only |
| Threat feed | โ | โ | โ | โ |
| Alerting | โ | โ | โ | โ |
| Dashboard | โ | Basic | โ | โ |
| Cost tracking | โ | โ | โ | โ |
| Built-in scanner | โ | โ | โ | โ |
Use Cases
- Developers: Protect your machine when trying new MCP servers
- Security Teams: Enforce tool usage policies across the organization
- Compliance Officers: Generate audit evidence for DORA, FINMA, SOC 2
- CISOs: Visibility and control over AI agent behavior
- Red Teamers: Test AI agent security posture
SDK Mode (any AI agent framework)
mcp-firewall works as a Python library, not just an MCP proxy. Use it with OpenClaw, LangChain, CrewAI, or any custom agent:
from mcp_firewall.sdk import Gateway
gw = Gateway() # or Gateway(config_path="mcp-firewall.yaml")
# Check before executing a tool
decision = gw.check("exec", {"command": "rm -rf /"}, agent="my-agent")
if decision.blocked:
print(f"Blocked: {decision.reason}")
# Scan tool output for leaked secrets
result = gw.scan_response("AWS_KEY=AKIAIOSFODNN7EXAMPLE")
print(result.content) # "AWS_KEY=[REDACTED by mcp-firewall]"
See examples/openclaw_integration.py for a full example.
See Also
mcpwn โ Security scanner for MCP servers. While mcp-firewall protects at runtime, mcpwn finds vulnerabilities before deployment.
| Tool | When | What |
|---|---|---|
| mcpwn | Pre-deployment | Find vulnerabilities in MCP servers |
| mcp-firewall | Runtime | Block attacks, enforce policies, audit logging |
Scan first, then protect:
# Step 1: Scan for vulnerabilities
mcp-firewall scan -- python my_server.py
# Step 2: Protect at runtime
mcp-firewall wrap -- python my_server.py
Documentation
Contributing
See CONTRIBUTING.md for guidelines.
Security issues: see SECURITY.md.
License
AGPL-3.0 โ see LICENSE.
Commercial licensing available for organizations that cannot use AGPL. Contact rr@canus.ch.
About
Built by Robert Ressl โ Associate Director Offensive Security at Kyndryl. CISSP, OSEP, OSCP, CRTO. After 100+ penetration tests and red team engagements across banking, insurance, and critical infrastructure, I saw the gap: AI agents are the new attack surface, and MCP is the protocol everyone uses but nobody secures.
mcp-firewall is the firewall that MCP needs.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mcp_firewall-0.1.0.tar.gz.
File metadata
- Download URL: mcp_firewall-0.1.0.tar.gz
- Upload date:
- Size: 74.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0f8c16a119ff1acc6c9e8ce59f13936e57f9bc73a40a367ba62c8d063065d949
|
|
| MD5 |
f02bec6afef71f692476d6922c35b201
|
|
| BLAKE2b-256 |
1f3cf01cc16e8964a5609bcadd83ac997bb3187224757cbc6d132e6515b2e669
|
File details
Details for the file mcp_firewall-0.1.0-py3-none-any.whl.
File metadata
- Download URL: mcp_firewall-0.1.0-py3-none-any.whl
- Upload date:
- Size: 63.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1d23577daf4220b234d5ebdd7595d40700a24d1c8089feeff9812af3b81b1a9e
|
|
| MD5 |
75d19229fada4e7dd2191bae5cace24e
|
|
| BLAKE2b-256 |
d4fe83ba3e3c1441d904cbdf721aa4409854cce61d28c830abf98867781dbef4
|
