cleanup

author: netblue30 <netblue30@yahoo.com> 2017-11-13 07:55:29 -0500
committer: netblue30 <netblue30@yahoo.com> 2017-11-13 07:55:29 -0500
commit: 39a175d692bfa8514a649449c938afbc2c12dc6f (patch)
tree: 54796c70ee3cdcca3a0607e5c1d74269bd27913a /etc/nolocal.net
parent: Add private-dev to qtox (diff)
download: firejail-39a175d692bfa8514a649449c938afbc2c12dc6f.tar.gz
firejail-39a175d692bfa8514a649449c938afbc2c12dc6f.tar.zst
firejail-39a175d692bfa8514a649449c938afbc2c12dc6f.zip
1 files changed, 11 insertions, 1 deletions
diff --git a/etc/nolocal.net b/etc/nolocal.net
index 9fa785450..8955f740d 100644
--- a/etc/nolocal.net
+++ b/etc/nolocal.net
@@ -12,15 +12,25 @@
 #
 ###################################################################
+#allow all loopback traffic
 -A INPUT -i lo -j ACCEPT
+# no incoming connections
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# allow ping etc.
 -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
 -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
 -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+# accept dns requests going out to a server on the local network
 -A OUTPUT -p udp --dport 53 -j ACCEPT
+# drop all local network traffic
 -A OUTPUT -d 192.168.0.0/16 -j DROP
 -A OUTPUT -d 10.0.0.0/8 -j DROP
 -A OUTPUT -d 172.16.0.0/12 -j DROP
+# drop multicast traffic
+-A OUTPUT -d 244.0.0.0/4 -j DROP
 COMMIT
author	netblue30 <netblue30@yahoo.com>	2017-11-13 07:55:29 -0500
committer	netblue30 <netblue30@yahoo.com>	2017-11-13 07:55:29 -0500
commit	39a175d692bfa8514a649449c938afbc2c12dc6f (patch)
tree	54796c70ee3cdcca3a0607e5c1d74269bd27913a /etc/nolocal.net
parent	Add private-dev to qtox (diff)
download	firejail-39a175d692bfa8514a649449c938afbc2c12dc6f.tar.gz firejail-39a175d692bfa8514a649449c938afbc2c12dc6f.tar.zst firejail-39a175d692bfa8514a649449c938afbc2c12dc6f.zip

diff --git a/etc/nolocal.net b/etc/nolocal.net index 9fa785450..8955f740d 100644 --- a/etc/nolocal.net +++ b/etc/nolocal.net
@@ -12,15 +12,25 @@
12	#	12	#
13	###################################################################	13	###################################################################
14		14
15		15	#allow all loopback traffic
16	-A INPUT -i lo -j ACCEPT	16	-A INPUT -i lo -j ACCEPT
		17
		18	# no incoming connections
17	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT	19	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
		20
		21	# allow ping etc.
18	-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT	22	-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
19	-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT	23	-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
20	-A INPUT -p icmp --icmp-type echo-request -j ACCEPT	24	-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
21		25
		26	# accept dns requests going out to a server on the local network
22	-A OUTPUT -p udp --dport 53 -j ACCEPT	27	-A OUTPUT -p udp --dport 53 -j ACCEPT
		28
		29	# drop all local network traffic
23	-A OUTPUT -d 192.168.0.0/16 -j DROP	30	-A OUTPUT -d 192.168.0.0/16 -j DROP
24	-A OUTPUT -d 10.0.0.0/8 -j DROP	31	-A OUTPUT -d 10.0.0.0/8 -j DROP
25	-A OUTPUT -d 172.16.0.0/12 -j DROP	32	-A OUTPUT -d 172.16.0.0/12 -j DROP
		33
		34	# drop multicast traffic
		35	-A OUTPUT -d 244.0.0.0/4 -j DROP
26	COMMIT	36	COMMIT