Fly, I don’t think, has a built-in firewall. One could setup firewall rules with iptables / nftables?
You can also go nuclear and delete the default routes when VM starts up (do not recommend unless you know what you’re doing):
ip route del default
ip -6 route del default
@thomas / @wjordan can confirm if 6pn would continue to work in that case? I am not so sure… but I know for sure that you’d lose all connectivity to that VM!
Short of mucking with the routing table, if you’re ambitious enough, you could process potentially malicious payloads in a capability-restricted programmable wasm runtime.
You may also spin up one VM per request using Machines (let us know if it works!).
Btw, not really what you want, but if the app needn’t be reachable over the public Internet (see also), consider removing [[services]] section from fly.toml (nb, you can also release assigned public IPs after the fact, too)… in doing so, that (public ip-less) app should be exempt from egress / ingress charges, altogether.