added webserver.net and nolocal.net network filters

author: netblue30 <netblue30@yahoo.com> 2015-11-20 16:50:29 -0500
committer: netblue30 <netblue30@yahoo.com> 2015-11-20 16:50:29 -0500
commit: a039bce14d634e891a670202047b0be674e5d547 (patch)
tree: a6f11ab356bce247dcf80bc0231c5a694aa53a9e
parent: testing (diff)
download: firejail-a039bce14d634e891a670202047b0be674e5d547.tar.gz
firejail-a039bce14d634e891a670202047b0be674e5d547.tar.zst
firejail-a039bce14d634e891a670202047b0be674e5d547.zip
8 files changed, 96 insertions, 2 deletions
diff --git a/Makefile.in b/Makefile.in
index 65f43884b..cf27248c8 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -115,6 +115,8 @@ realinstall:
        install -c -m 0644 .etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/.
        install -c -m 0644 .etc/dnscrypt-proxy.profile $(DESTDIR)/$(sysconfdir)/firejail/.
        install -c -m 0644 .etc/whitelist-common.inc $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/nolocal.net $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/webserver.net $(DESTDIR)/$(sysconfdir)/firejail/.
        bash -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
        rm -fr .etc
        # man pages
diff --git a/RELNOTES b/RELNOTES
index a11674bab..d8dec685e 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -4,6 +4,8 @@ firejail (0.9.35) baseline; urgency=low
  * whitelist command enhancements
  * prevent leaking user information by modifying /home directory,
          /etc/passwd and /etc/group
+  * added /etc/firejail/nolocal.net network filter
+  * added /etc/firejail/webserver.net network filter
  * bugfixes
 -- netblue30 <netblue30@yahoo.com>  ongoing development
diff --git a/etc/nolocal.net b/etc/nolocal.net
new file mode 100644
index 000000000..9c0c6e125
--- /dev/null
+++ b/etc/nolocal.net
@@ -0,0 +1,25 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+###################################################################
+# Client filter rejecting local network traffic, with the exception of DNS traffic
+#
+# Usage:
+#     firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox
+#
+###################################################################
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+-A OUTPUT -p udp --dport 53 -j ACCEPT
+-A OUTPUT -d 192.168.0.0/16 -j DROP
+-A OUTPUT -d 10.0.0.0/8 -j DROP
+-A OUTPUT -d 172.16.0.0/12 -j DROP
+COMMIT
diff --git a/etc/webserver.net b/etc/webserver.net
new file mode 100644
index 000000000..d165e6faf
--- /dev/null
+++ b/etc/webserver.net
@@ -0,0 +1,30 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+###################################################################
+# Simple webserver filter
+#
+# Usage:
+#   firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/apache2 start
+#   firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/nginx start
+#
+###################################################################
+# allow webserver traffic
+-A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
+-A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
+# allow incoming ping
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
+# allow outgoing DNS
+-A OUTPUT -p udp --dport 53 -j ACCEPT
+-A INPUT -p udp --sport 53 -j ACCEPT
+COMMIT
diff --git a/mketc.sh b/mketc.sh
index 7b86a69e4..baca7c12e 100755
--- a/mketc.sh
+++ b/mketc.sh
@@ -16,3 +16,9 @@ for file in $FILES
 do
        sed "s/\/etc/$result/g" $file > .$file
 done
+FILES=`ls etc/*.net`
+for file in $FILES
+do
+        sed "s/\/etc/$result/g" $file > .$file
+done
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index c78dab441..b000ce04d 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -41,4 +41,6 @@
 /etc/firejail/conkeror.profile
 /etc/firejail/unbound.profile
 /etc/firejail/dnscrypt-proxy.profile
-etc/whitelist-common.inc
+/etc/firejail/whitelist-common.inc
+/etc/firejail/nolocal.net
+/etc/firejail/webserver.net
diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion
index 98ca5e7a4..21e28c98b 100644
--- a/src/bash_completion/firejail.bash_completion
+++ b/src/bash_completion/firejail.bash_completion
@@ -55,6 +55,10 @@ _firejail()
            _filedir
            return 0
            ;;
+        --netfilter)
+            _filedir
+            return 0
+            ;;
        --shell)
            _filedir
            return 0
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 370fce588..00abc13db 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -587,9 +587,30 @@ New network namespaces are created using \-\-net option. If a new network namesp
 .br
 .br
+The following filters are available in /etc/firejail directory:
+.br
+.br
+.B webserver.net
+is a webserver filter that allows access only to TCP ports 80 and 443.
 Example:
 .br
-$ firejail \-\-net=eth0 \-\-netfilter=myfile firefox
+.br
+$ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \\
+.br
+/etc/init.d/apache2 start
+.br
+.br
+.B nolocal.net
+is a client filter that disable access to local network. Example:
+.br
+.br
+$ firejail --netfilter=/etc/firejail/nolocal.net \\
+.br
+--net=eth0 firefox
 .TP
 \fB\-\-netstats
 Monitor network namespace statistics, see MONITORING section for more details.
@@ -598,6 +619,8 @@ Monitor network namespace statistics, see MONITORING section for more details.
 .br
 Example:
 .br
+.br
 $ firejail \-\-netstats
 .br
 PID  User    RX(KB/s) TX(KB/s) Command
author	netblue30 <netblue30@yahoo.com>	2015-11-20 16:50:29 -0500
committer	netblue30 <netblue30@yahoo.com>	2015-11-20 16:50:29 -0500
commit	a039bce14d634e891a670202047b0be674e5d547 (patch)
tree	a6f11ab356bce247dcf80bc0231c5a694aa53a9e
parent	testing (diff)
download	firejail-a039bce14d634e891a670202047b0be674e5d547.tar.gz firejail-a039bce14d634e891a670202047b0be674e5d547.tar.zst firejail-a039bce14d634e891a670202047b0be674e5d547.zip

diff --git a/Makefile.in b/Makefile.in index 65f43884b..cf27248c8 100644 --- a/Makefile.in +++ b/Makefile.in
@@ -115,6 +115,8 @@ realinstall:
115	install -c -m 0644 .etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/.	115	install -c -m 0644 .etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/.
116	install -c -m 0644 .etc/dnscrypt-proxy.profile $(DESTDIR)/$(sysconfdir)/firejail/.	116	install -c -m 0644 .etc/dnscrypt-proxy.profile $(DESTDIR)/$(sysconfdir)/firejail/.
117	install -c -m 0644 .etc/whitelist-common.inc $(DESTDIR)/$(sysconfdir)/firejail/.	117	install -c -m 0644 .etc/whitelist-common.inc $(DESTDIR)/$(sysconfdir)/firejail/.
		118	install -c -m 0644 .etc/nolocal.net $(DESTDIR)/$(sysconfdir)/firejail/.
		119	install -c -m 0644 .etc/webserver.net $(DESTDIR)/$(sysconfdir)/firejail/.
118	bash -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"	120	bash -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
119	rm -fr .etc	121	rm -fr .etc
120	# man pages	122	# man pages


diff --git a/RELNOTES b/RELNOTES index a11674bab..d8dec685e 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -4,6 +4,8 @@ firejail (0.9.35) baseline; urgency=low
4	* whitelist command enhancements	4	* whitelist command enhancements
5	* prevent leaking user information by modifying /home directory,	5	* prevent leaking user information by modifying /home directory,
6	/etc/passwd and /etc/group	6	/etc/passwd and /etc/group
		7	* added /etc/firejail/nolocal.net network filter
		8	* added /etc/firejail/webserver.net network filter
7	* bugfixes	9	* bugfixes
8	-- netblue30 <netblue30@yahoo.com> ongoing development	10	-- netblue30 <netblue30@yahoo.com> ongoing development
9		11


diff --git a/etc/nolocal.net b/etc/nolocal.net new file mode 100644 index 000000000..9c0c6e125 --- /dev/null +++ b/etc/nolocal.net
@@ -0,0 +1,25 @@
		1	*filter
		2	:INPUT DROP [0:0]
		3	:FORWARD DROP [0:0]
		4	:OUTPUT ACCEPT [0:0]
		5
		6	###################################################################
		7	# Client filter rejecting local network traffic, with the exception of DNS traffic
		8	#
		9	# Usage:
		10	# firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox
		11	#
		12	###################################################################
		13
		14
		15	-A INPUT -i lo -j ACCEPT
		16	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
		17	-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
		18	-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
		19	-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
		20
		21	-A OUTPUT -p udp --dport 53 -j ACCEPT
		22	-A OUTPUT -d 192.168.0.0/16 -j DROP
		23	-A OUTPUT -d 10.0.0.0/8 -j DROP
		24	-A OUTPUT -d 172.16.0.0/12 -j DROP
		25	COMMIT


diff --git a/etc/webserver.net b/etc/webserver.net new file mode 100644 index 000000000..d165e6faf --- /dev/null +++ b/etc/webserver.net
@@ -0,0 +1,30 @@
		1	*filter
		2	:INPUT DROP [0:0]
		3	:FORWARD DROP [0:0]
		4	:OUTPUT DROP [0:0]
		5
		6	###################################################################
		7	# Simple webserver filter
		8	#
		9	# Usage:
		10	# firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/apache2 start
		11	# firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/nginx start
		12	#
		13	###################################################################
		14
		15	# allow webserver traffic
		16	-A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
		17	-A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
		18	-A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
		19	-A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
		20
		21	# allow incoming ping
		22	-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
		23	-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
		24
		25	# allow outgoing DNS
		26	-A OUTPUT -p udp --dport 53 -j ACCEPT
		27	-A INPUT -p udp --sport 53 -j ACCEPT
		28
		29	COMMIT
		30


diff --git a/mketc.sh b/mketc.sh index 7b86a69e4..baca7c12e 100755 --- a/mketc.sh +++ b/mketc.sh
@@ -16,3 +16,9 @@ for file in $FILES
16	do	16	do
17	sed "s/\/etc/$result/g" $file > .$file	17	sed "s/\/etc/$result/g" $file > .$file
18	done	18	done
		19
		20	FILES=`ls etc/*.net`
		21	for file in $FILES
		22	do
		23	sed "s/\/etc/$result/g" $file > .$file
		24	done


diff --git a/platform/debian/conffiles b/platform/debian/conffiles index c78dab441..b000ce04d 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles
@@ -41,4 +41,6 @@
41	/etc/firejail/conkeror.profile	41	/etc/firejail/conkeror.profile
42	/etc/firejail/unbound.profile	42	/etc/firejail/unbound.profile
43	/etc/firejail/dnscrypt-proxy.profile	43	/etc/firejail/dnscrypt-proxy.profile
44	etc/whitelist-common.inc	44	/etc/firejail/whitelist-common.inc
		45	/etc/firejail/nolocal.net
		46	/etc/firejail/webserver.net


diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion index 98ca5e7a4..21e28c98b 100644 --- a/src/bash_completion/firejail.bash_completion +++ b/src/bash_completion/firejail.bash_completion
@@ -55,6 +55,10 @@ _firejail()
55	_filedir	55	_filedir
56	return 0	56	return 0
57	;;	57	;;
		58	--netfilter)
		59	_filedir
		60	return 0
		61	;;
58	--shell)	62	--shell)
59	_filedir	63	_filedir
60	return 0	64	return 0


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 370fce588..00abc13db 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -587,9 +587,30 @@ New network namespaces are created using \-\-net option. If a new network namesp
587	.br	587	.br
588		588
589	.br	589	.br
		590	The following filters are available in /etc/firejail directory:
		591	.br
		592
		593	.br
		594	.B webserver.net
		595	is a webserver filter that allows access only to TCP ports 80 and 443.
590	Example:	596	Example:
591	.br	597	.br
592	$ firejail \-\-net=eth0 \-\-netfilter=myfile firefox	598
		599	.br
		600	$ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \\
		601	.br
		602	/etc/init.d/apache2 start
		603	.br
		604
		605	.br
		606	.B nolocal.net
		607	is a client filter that disable access to local network. Example:
		608	.br
		609
		610	.br
		611	$ firejail --netfilter=/etc/firejail/nolocal.net \\
		612	.br
		613	--net=eth0 firefox
593	.TP	614	.TP
594	\fB\-\-netstats	615	\fB\-\-netstats
595	Monitor network namespace statistics, see MONITORING section for more details.	616	Monitor network namespace statistics, see MONITORING section for more details.
@@ -598,6 +619,8 @@ Monitor network namespace statistics, see MONITORING section for more details.
598	.br	619	.br
599	Example:	620	Example:
600	.br	621	.br
		622
		623	.br
601	$ firejail \-\-netstats	624	$ firejail \-\-netstats
602	.br	625	.br
603	PID User RX(KB/s) TX(KB/s) Command	626	PID User RX(KB/s) TX(KB/s) Command