[cli-tools-test] Firewall analysis shows "-" instead of actual blocked domain for all blocked requests

[github-actions]

Problem Description

In the audit and logs tools, the firewall analysis consistently shows - as the domain for all blocked network requests instead of showing the actual destination domain. This makes it impossible to determine what domains are being blocked.

Command/Tool

• Tool: audit and logs
• Feature: Firewall analysis / network activity reporting

Steps to Reproduce

1. Run audit on any workflow run that has blocked network requests (most Claude/Copilot workflows qualify)
2. Examine the firewall_analysis.blocked_domains field
3. Observe that it always contains ["-"] instead of actual domain names

Example from audit of run 22808600224 (Claude Code User Documentation Review):

{
  "firewall_analysis": {
    "allowed_domains": ["api.anthropic.com:443", "raw.githubusercontent.com:443"],
    "blocked_domains": ["-"],
    "total_requests": 83,
    "allowed_requests": 32,
    "blocked_requests": 51,
    "requests_by_domain": {
      "-": { "allowed": 0, "blocked": 51 },
      "api.anthropic.com:443": { "allowed": 31, "blocked": 0 },
      "raw.githubusercontent.com:443": { "allowed": 1, "blocked": 0 }
    }
  }
}

This pattern appears consistently across all workflows with blocked requests:

• Claude workflows: 51 blocked requests → domain -
• Copilot workflows: 39 blocked requests → domain -
• Codex workflows: 3-9 blocked requests → domain -

The same issue appears in the logs command's firewall_log.blocked_domains field.

Expected Behavior

Blocked domains should show the actual destination domains (e.g., google.com:443, api.example.com:443) so users can understand what network access is being denied.

Actual Behavior

All blocked requests are grouped under domain -, making the firewall blocking analysis completely opaque.

Root Cause Analysis

The - value is the Squid/iptables default for unknown destinations. Traffic appears to be dropped by iptables rules (the detection.log shows [iptables] Drop all non-redirected TCP traffic (default deny)) before reaching the Squid proxy. Since iptables-dropped traffic is not visible to Squid, the domain is unknown and logged as -.

The firewall analysis tool needs to capture the actual destination IP/domain from iptables logs (or nflog) rather than relying solely on Squid access logs for blocked request attribution.

Environment

• Repository: github/gh-aw
• Run ID (test session): 22809781843
• Date: 2026-03-07
• Affected runs: 22808600224, 22808408919, 22808419255, 22808279943, and all others

Impact

• Severity: High
• Frequency: Always (100% of runs with blocked requests)
• Workaround: None - the actual blocked domains are inaccessible through this tool

Additional Context

This issue significantly reduces the usefulness of the firewall analysis feature. When users see 51 blocked requests, they cannot determine if these are:

• Expected (internal monitoring traffic)
• Unexpected (agent attempting to access unauthorized domains)
• Concerning (potential security issue)

The firewall analysis should be the primary tool for security review of network access, but the - domain makes it impossible to do meaningful analysis.

Generated by Daily CLI Tools Exploratory Tester · ◷

• expires on Mar 15, 2026, 12:02 AM UTC