reorganize github etc directory

author: netblue30 <netblue30@yahoo.com> 2020-04-21 08:24:28 -0400
committer: netblue30 <netblue30@yahoo.com> 2020-04-21 08:24:28 -0400
commit: 018d75775eab4a0f045949a9d069c57686ca2686 (patch)
tree: aac3a1a65cca0d4875795c55109a5c3e35efdefb /etc/net
parent: small fixes (diff)
download: firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.gz
firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.zst
firejail-018d75775eab4a0f045949a9d069c57686ca2686.zip
3 files changed, 92 insertions, 0 deletions
diff --git a/etc/net/nolocal.net b/etc/net/nolocal.net
new file mode 100644
index 000000000..8955f740d
--- /dev/null
+++ b/etc/net/nolocal.net
@@ -0,0 +1,36 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+###################################################################
+# Client filter rejecting local network traffic, with the exception of
+# DNS traffic
+#
+# Usage:
+#     firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox
+#
+###################################################################
+#allow all loopback traffic
+-A INPUT -i lo -j ACCEPT
+# no incoming connections
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# allow ping etc.
+-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+# accept dns requests going out to a server on the local network
+-A OUTPUT -p udp --dport 53 -j ACCEPT
+# drop all local network traffic
+-A OUTPUT -d 192.168.0.0/16 -j DROP
+-A OUTPUT -d 10.0.0.0/8 -j DROP
+-A OUTPUT -d 172.16.0.0/12 -j DROP
+# drop multicast traffic
+-A OUTPUT -d 244.0.0.0/4 -j DROP
+COMMIT
diff --git a/etc/net/tcpserver.net b/etc/net/tcpserver.net
new file mode 100644
index 000000000..9c39ee5fb
--- /dev/null
+++ b/etc/net/tcpserver.net
@@ -0,0 +1,27 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+###################################################################
+# Simple tcp filter template. $ARG1 is the port number.
+#
+# Usage:  $ARG1 in this template is replaced by 5001 from command line below
+#
+#   firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/tcpserver.net,5001 server-program
+#
+###################################################################
+# allow server traffic
+-A INPUT -p tcp --dport $ARG1 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp --sport $ARG1 -m state --state ESTABLISHED -j ACCEPT
+# allow incoming ping
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
+# allow outgoing DNS
+-A OUTPUT -p udp --dport 53 -j ACCEPT
+-A INPUT -p udp --sport 53 -j ACCEPT
+COMMIT
diff --git a/etc/net/webserver.net b/etc/net/webserver.net
new file mode 100644
index 000000000..83db76825
--- /dev/null
+++ b/etc/net/webserver.net
@@ -0,0 +1,29 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+###################################################################
+# Simple webserver filter
+#
+# Usage:
+#   firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/apache2 start
+#   firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/nginx start
+#
+###################################################################
+# allow webserver traffic
+-A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
+-A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
+# allow incoming ping
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
+# allow outgoing DNS
+-A OUTPUT -p udp --dport 53 -j ACCEPT
+-A INPUT -p udp --sport 53 -j ACCEPT
+COMMIT
author	netblue30 <netblue30@yahoo.com>	2020-04-21 08:24:28 -0400
committer	netblue30 <netblue30@yahoo.com>	2020-04-21 08:24:28 -0400
commit	018d75775eab4a0f045949a9d069c57686ca2686 (patch)
tree	aac3a1a65cca0d4875795c55109a5c3e35efdefb /etc/net
parent	small fixes (diff)
download	firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.gz firejail-018d75775eab4a0f045949a9d069c57686ca2686.tar.zst firejail-018d75775eab4a0f045949a9d069c57686ca2686.zip

diff --git a/etc/net/nolocal.net b/etc/net/nolocal.net new file mode 100644 index 000000000..8955f740d --- /dev/null +++ b/etc/net/nolocal.net
@@ -0,0 +1,36 @@
	1	*filter
	2	:INPUT DROP [0:0]
	3	:FORWARD DROP [0:0]
	4	:OUTPUT ACCEPT [0:0]
	5
	6	###################################################################
	7	# Client filter rejecting local network traffic, with the exception of
	8	# DNS traffic
	9	#
	10	# Usage:
	11	# firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox
	12	#
	13	###################################################################
	14
	15	#allow all loopback traffic
	16	-A INPUT -i lo -j ACCEPT
	17
	18	# no incoming connections
	19	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	20
	21	# allow ping etc.
	22	-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
	23	-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
	24	-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
	25
	26	# accept dns requests going out to a server on the local network
	27	-A OUTPUT -p udp --dport 53 -j ACCEPT
	28
	29	# drop all local network traffic
	30	-A OUTPUT -d 192.168.0.0/16 -j DROP
	31	-A OUTPUT -d 10.0.0.0/8 -j DROP
	32	-A OUTPUT -d 172.16.0.0/12 -j DROP
	33
	34	# drop multicast traffic
	35	-A OUTPUT -d 244.0.0.0/4 -j DROP
	36	COMMIT


diff --git a/etc/net/tcpserver.net b/etc/net/tcpserver.net new file mode 100644 index 000000000..9c39ee5fb --- /dev/null +++ b/etc/net/tcpserver.net
@@ -0,0 +1,27 @@
	1	*filter
	2	:INPUT DROP [0:0]
	3	:FORWARD DROP [0:0]
	4	:OUTPUT DROP [0:0]
	5
	6	###################################################################
	7	# Simple tcp filter template. $ARG1 is the port number.
	8	#
	9	# Usage: $ARG1 in this template is replaced by 5001 from command line below
	10	#
	11	# firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/tcpserver.net,5001 server-program
	12	#
	13	###################################################################
	14
	15	# allow server traffic
	16	-A INPUT -p tcp --dport $ARG1 -m state --state NEW,ESTABLISHED -j ACCEPT
	17	-A OUTPUT -p tcp --sport $ARG1 -m state --state ESTABLISHED -j ACCEPT
	18
	19	# allow incoming ping
	20	-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
	21	-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
	22
	23	# allow outgoing DNS
	24	-A OUTPUT -p udp --dport 53 -j ACCEPT
	25	-A INPUT -p udp --sport 53 -j ACCEPT
	26
	27	COMMIT


diff --git a/etc/net/webserver.net b/etc/net/webserver.net new file mode 100644 index 000000000..83db76825 --- /dev/null +++ b/etc/net/webserver.net
@@ -0,0 +1,29 @@
	1	*filter
	2	:INPUT DROP [0:0]
	3	:FORWARD DROP [0:0]
	4	:OUTPUT DROP [0:0]
	5
	6	###################################################################
	7	# Simple webserver filter
	8	#
	9	# Usage:
	10	# firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/apache2 start
	11	# firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/nginx start
	12	#
	13	###################################################################
	14
	15	# allow webserver traffic
	16	-A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
	17	-A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
	18	-A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
	19	-A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
	20
	21	# allow incoming ping
	22	-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
	23	-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
	24
	25	# allow outgoing DNS
	26	-A OUTPUT -p udp --dport 53 -j ACCEPT
	27	-A INPUT -p udp --sport 53 -j ACCEPT
	28
	29	COMMIT