diff options
author | netblue30 <netblue30@protonmail.com> | 2021-01-25 08:58:47 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-01-25 08:58:47 -0500 |
commit | 91df583d93a48bb7d79533192f75ddb0a9015371 (patch) | |
tree | f8458c573f29ecd8e36e30ec581d55e4e9793c15 /etc | |
parent | Merge pull request #3918 from Neo00001/master (diff) | |
parent | Create nolocal6.net (diff) | |
download | firejail-91df583d93a48bb7d79533192f75ddb0a9015371.tar.gz firejail-91df583d93a48bb7d79533192f75ddb0a9015371.tar.zst firejail-91df583d93a48bb7d79533192f75ddb0a9015371.zip |
Merge pull request #3899 from rootalc/nolocal6
Create nolocal6.net
Diffstat (limited to 'etc')
-rw-r--r-- | etc/net/nolocal6.net | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/etc/net/nolocal6.net b/etc/net/nolocal6.net new file mode 100644 index 000000000..5a6678d03 --- /dev/null +++ b/etc/net/nolocal6.net | |||
@@ -0,0 +1,41 @@ | |||
1 | *filter | ||
2 | :INPUT DROP [0:0] | ||
3 | :FORWARD DROP [0:0] | ||
4 | :OUTPUT ACCEPT [0:0] | ||
5 | |||
6 | ################################################################### | ||
7 | # Client filter rejecting local network traffic, with the exception of | ||
8 | # DNS traffic | ||
9 | # | ||
10 | # Usage: | ||
11 | # firejail --net=eth0 --netfilter6=/etc/firejail/nolocal6.net firefox | ||
12 | # | ||
13 | ################################################################### | ||
14 | |||
15 | #allow all loopback traffic | ||
16 | -A INPUT -i lo -j ACCEPT | ||
17 | |||
18 | # no incoming connections | ||
19 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
20 | |||
21 | # allow ping etc. | ||
22 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT | ||
23 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT | ||
24 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT | ||
25 | # required for ipv6 | ||
26 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT | ||
27 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT | ||
28 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -j ACCEPT | ||
29 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j ACCEPT | ||
30 | |||
31 | # accept dns requests going out to a server on the local network | ||
32 | -A OUTPUT -p udp --dport 53 -j ACCEPT | ||
33 | |||
34 | # drop all local network traffic | ||
35 | -A OUTPUT -d FC00::/7 -j DROP | ||
36 | |||
37 | # drop multicast traffic | ||
38 | # required for ipv6 | ||
39 | -A OUTPUT -d ff02::2 -j ACCEPT | ||
40 | -A OUTPUT -d ff00::/8 -j DROP | ||
41 | COMMIT | ||