Allowing Specific IP Addresses
This guide shows how to configure Bullfrog to allow connections to specific IP addresses while controlling DNS resolution.
Basic IP Allow List
To allow connections to specific IP addresses:
- uses: bullfrogsec/bullfrog@c8e5fff94e0050c0cef9b9596c55cf3d9c53ba2c # v0.9.2
with:
egress-policy: block
allowed-ips: |
1.2.3.4
5.6.7.8
Full Example:
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: bullfrogsec/bullfrog@c8e5fff94e0050c0cef9b9596c55cf3d9c53ba2c # v0.9.2
with:
egress-policy: block
allowed-ips: |
1.2.3.4
5.6.7.8
- name: Deploy to server
run: |
curl http://1.2.3.4:8080/deploy
CIDR Notation
You can use CIDR notation to allow entire IP ranges:
- uses: bullfrogsec/bullfrog@c8e5fff94e0050c0cef9b9596c55cf3d9c53ba2c # v0.9.2
with:
egress-policy: block
allowed-ips: |
192.168.1.0/24
10.0.0.0/8
172.16.0.0/12
Combining IPs and Domains
Some workflows might need both IP addresses and domain names:
- uses: bullfrogsec/bullfrog@c8e5fff94e0050c0cef9b9596c55cf3d9c53ba2c # v0.9.2
with:
egress-policy: block
allowed-domains: |
github.com
*.github.com
registry.npmjs.org
allowed-ips: |
1.2.3.4
192.168.1.0/24
This allows:
- Connections to listed domains (resolved via DNS)
- Direct connections to listed IP addresses
- DNS lookups only for listed domains (due to default
dns-policy: allowed-domains-only)
If you're allowing specific IPs but accessing services via their domain names (e.g., curl https://api.example.com), you must either:
- Add the domain to
allowed-domains(recommended), OR - Set
dns-policy: anyto allow DNS resolution for any domain
With the default dns-policy: allowed-domains-only, allowing an IP via allowed-ips is not sufficient if you access the service by its domain name. The DNS lookup will be blocked before the connection attempt.
Example - IP-only control with DNS enabled:
- uses: bullfrogsec/bullfrog@c8e5fff94e0050c0cef9b9596c55cf3d9c53ba2c # v0.9.2
with:
egress-policy: block
allowed-ips: |
1.2.3.4
dns-policy: any # Required to resolve domain names to allowed IPs
Note that dns-policy: any comes with DNS exfiltration risks.
Private Network Access
To allow access to private networks or internal services:
- uses: bullfrogsec/bullfrog@c8e5fff94e0050c0cef9b9596c55cf3d9c53ba2c # v0.9.2
with:
egress-policy: block
allowed-ips: |
# Private network ranges
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
# Specific internal services
10.1.2.3
10.1.2.4
IPv6 Addresses
Bullfrog supports IPv6 addresses:
- uses: bullfrogsec/bullfrog@c8e5fff94e0050c0cef9b9596c55cf3d9c53ba2c # v0.9.2
with:
egress-policy: block
allowed-ips: |
2001:0db8:85a3::8a2e:0370:7334
2001:0db8::/32
Localhost and Loopback
Localhost (127.0.0.1 and ::1) is always allowed by default, even in block mode. You don't need to explicitly add it.
Custom DNS Servers
If your workflow uses custom DNS servers (e.g., Tailscale Magic DNS, internal corporate DNS, or VPN-provided DNS), you must add those DNS server IP addresses to the allowed-ips list. Without this, DNS queries to your custom DNS servers will be blocked.
Example with Tailscale Magic DNS:
- uses: bullfrogsec/bullfrog@c8e5fff94e0050c0cef9b9596c55cf3d9c53ba2c # v0.9.2
with:
egress-policy: block
allowed-ips: |
100.100.100.100 # Tailscale Magic DNS
Security Considerations
- Be Specific: Only allow IP addresses you explicitly need
- Avoid Large Ranges: Don't use
/8or/16unless necessary - Document IPs: Comment why each IP or range is allowed
- Regular Review: Verify allowed IPs are still needed and valid
- Prefer Domains: When possible, use domain names instead of IPs
Next Steps
- Review DNS policy configuration
- Learn about audit mode to discover IPs
- See troubleshooting guide for debugging connection issues