added webserver.net and nolocal.net network filters

author: netblue30 <netblue30@yahoo.com> 2015-11-20 16:50:29 -0500
committer: netblue30 <netblue30@yahoo.com> 2015-11-20 16:50:29 -0500
commit: a039bce14d634e891a670202047b0be674e5d547 (patch)
tree: a6f11ab356bce247dcf80bc0231c5a694aa53a9e /etc/nolocal.net
parent: testing (diff)
download: firejail-a039bce14d634e891a670202047b0be674e5d547.tar.gz
firejail-a039bce14d634e891a670202047b0be674e5d547.tar.zst
firejail-a039bce14d634e891a670202047b0be674e5d547.zip
1 files changed, 25 insertions, 0 deletions
diff --git a/etc/nolocal.net b/etc/nolocal.net
new file mode 100644
index 000000000..9c0c6e125
--- /dev/null
+++ b/etc/nolocal.net
@@ -0,0 +1,25 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+###################################################################
+# Client filter rejecting local network traffic, with the exception of DNS traffic
+#
+# Usage:
+#     firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox
+#
+###################################################################
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+-A OUTPUT -p udp --dport 53 -j ACCEPT
+-A OUTPUT -d 192.168.0.0/16 -j DROP
+-A OUTPUT -d 10.0.0.0/8 -j DROP
+-A OUTPUT -d 172.16.0.0/12 -j DROP
+COMMIT
author	netblue30 <netblue30@yahoo.com>	2015-11-20 16:50:29 -0500
committer	netblue30 <netblue30@yahoo.com>	2015-11-20 16:50:29 -0500
commit	a039bce14d634e891a670202047b0be674e5d547 (patch)
tree	a6f11ab356bce247dcf80bc0231c5a694aa53a9e /etc/nolocal.net
parent	testing (diff)
download	firejail-a039bce14d634e891a670202047b0be674e5d547.tar.gz firejail-a039bce14d634e891a670202047b0be674e5d547.tar.zst firejail-a039bce14d634e891a670202047b0be674e5d547.zip

diff --git a/etc/nolocal.net b/etc/nolocal.net new file mode 100644 index 000000000..9c0c6e125 --- /dev/null +++ b/etc/nolocal.net
@@ -0,0 +1,25 @@
	1	*filter
	2	:INPUT DROP [0:0]
	3	:FORWARD DROP [0:0]
	4	:OUTPUT ACCEPT [0:0]
	5
	6	###################################################################
	7	# Client filter rejecting local network traffic, with the exception of DNS traffic
	8	#
	9	# Usage:
	10	# firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox
	11	#
	12	###################################################################
	13
	14
	15	-A INPUT -i lo -j ACCEPT
	16	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	17	-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
	18	-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
	19	-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
	20
	21	-A OUTPUT -p udp --dport 53 -j ACCEPT
	22	-A OUTPUT -d 192.168.0.0/16 -j DROP
	23	-A OUTPUT -d 10.0.0.0/8 -j DROP
	24	-A OUTPUT -d 172.16.0.0/12 -j DROP
	25	COMMIT