Create nolocal6.net

author: rootalc <77608426+rootalc@users.noreply.github.com> 2021-01-18 11:12:51 +0300
committer: GitHub <noreply@github.com> 2021-01-18 11:12:51 +0300
commit: aabd30726651e4ca680f8107eac223f78e6a2ced (patch)
tree: a783b6bec6e457253e3b3c9e9fb30c2bec85d3c5
parent: Add new allow include allow-bin-sh.inc (diff)
download: firejail-aabd30726651e4ca680f8107eac223f78e6a2ced.tar.gz
firejail-aabd30726651e4ca680f8107eac223f78e6a2ced.tar.zst
firejail-aabd30726651e4ca680f8107eac223f78e6a2ced.zip
1 files changed, 41 insertions, 0 deletions
diff --git a/etc/net/nolocal6.net b/etc/net/nolocal6.net
new file mode 100644
index 000000000..5a6678d03
--- /dev/null
+++ b/etc/net/nolocal6.net
@@ -0,0 +1,41 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+###################################################################
+# Client filter rejecting local network traffic, with the exception of
+# DNS traffic
+#
+# Usage:
+#     firejail --net=eth0 --netfilter6=/etc/firejail/nolocal6.net firefox
+#
+###################################################################
+#allow all loopback traffic
+-A INPUT -i lo -j ACCEPT
+# no incoming connections
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# allow ping etc.
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT
+# required for ipv6
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j ACCEPT
+# accept dns requests going out to a server on the local network
+-A OUTPUT -p udp --dport 53 -j ACCEPT
+# drop all local network traffic
+-A OUTPUT -d FC00::/7 -j DROP
+# drop multicast traffic
+# required for ipv6
+-A OUTPUT -d ff02::2 -j ACCEPT
+-A OUTPUT -d ff00::/8 -j DROP
+COMMIT
author	rootalc <77608426+rootalc@users.noreply.github.com>	2021-01-18 11:12:51 +0300
committer	GitHub <noreply@github.com>	2021-01-18 11:12:51 +0300
commit	aabd30726651e4ca680f8107eac223f78e6a2ced (patch)
tree	a783b6bec6e457253e3b3c9e9fb30c2bec85d3c5
parent	Add new allow include allow-bin-sh.inc (diff)
download	firejail-aabd30726651e4ca680f8107eac223f78e6a2ced.tar.gz firejail-aabd30726651e4ca680f8107eac223f78e6a2ced.tar.zst firejail-aabd30726651e4ca680f8107eac223f78e6a2ced.zip

diff --git a/etc/net/nolocal6.net b/etc/net/nolocal6.net new file mode 100644 index 000000000..5a6678d03 --- /dev/null +++ b/etc/net/nolocal6.net
@@ -0,0 +1,41 @@
	1	*filter
	2	:INPUT DROP [0:0]
	3	:FORWARD DROP [0:0]
	4	:OUTPUT ACCEPT [0:0]
	5
	6	###################################################################
	7	# Client filter rejecting local network traffic, with the exception of
	8	# DNS traffic
	9	#
	10	# Usage:
	11	# firejail --net=eth0 --netfilter6=/etc/firejail/nolocal6.net firefox
	12	#
	13	###################################################################
	14
	15	#allow all loopback traffic
	16	-A INPUT -i lo -j ACCEPT
	17
	18	# no incoming connections
	19	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	20
	21	# allow ping etc.
	22	-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT
	23	-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT
	24	-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT
	25	# required for ipv6
	26	-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT
	27	-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT
	28	-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -j ACCEPT
	29	-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j ACCEPT
	30
	31	# accept dns requests going out to a server on the local network
	32	-A OUTPUT -p udp --dport 53 -j ACCEPT
	33
	34	# drop all local network traffic
	35	-A OUTPUT -d FC00::/7 -j DROP
	36
	37	# drop multicast traffic
	38	# required for ipv6
	39	-A OUTPUT -d ff02::2 -j ACCEPT
	40	-A OUTPUT -d ff00::/8 -j DROP
	41	COMMIT