diff options
author | netblue30 <netblue30@yahoo.com> | 2020-04-21 08:24:28 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2020-04-21 08:24:28 -0400 |
commit | 018d75775eab4a0f045949a9d069c57686ca2686 (patch) | |
tree | aac3a1a65cca0d4875795c55109a5c3e35efdefb /etc/net/nolocal.net | |
parent | small fixes (diff) | |
download | firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.gz firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.zst firejail-018d75775eab4a0f045949a9d069c57686ca2686.zip |
reorganize github etc directory
Diffstat (limited to 'etc/net/nolocal.net')
-rw-r--r-- | etc/net/nolocal.net | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/etc/net/nolocal.net b/etc/net/nolocal.net new file mode 100644 index 000000000..8955f740d --- /dev/null +++ b/etc/net/nolocal.net | |||
@@ -0,0 +1,36 @@ | |||
1 | *filter | ||
2 | :INPUT DROP [0:0] | ||
3 | :FORWARD DROP [0:0] | ||
4 | :OUTPUT ACCEPT [0:0] | ||
5 | |||
6 | ################################################################### | ||
7 | # Client filter rejecting local network traffic, with the exception of | ||
8 | # DNS traffic | ||
9 | # | ||
10 | # Usage: | ||
11 | # firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox | ||
12 | # | ||
13 | ################################################################### | ||
14 | |||
15 | #allow all loopback traffic | ||
16 | -A INPUT -i lo -j ACCEPT | ||
17 | |||
18 | # no incoming connections | ||
19 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
20 | |||
21 | # allow ping etc. | ||
22 | -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT | ||
23 | -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT | ||
24 | -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | ||
25 | |||
26 | # accept dns requests going out to a server on the local network | ||
27 | -A OUTPUT -p udp --dport 53 -j ACCEPT | ||
28 | |||
29 | # drop all local network traffic | ||
30 | -A OUTPUT -d 192.168.0.0/16 -j DROP | ||
31 | -A OUTPUT -d 10.0.0.0/8 -j DROP | ||
32 | -A OUTPUT -d 172.16.0.0/12 -j DROP | ||
33 | |||
34 | # drop multicast traffic | ||
35 | -A OUTPUT -d 244.0.0.0/4 -j DROP | ||
36 | COMMIT | ||