diff options
author | netblue30 <netblue30@yahoo.com> | 2017-11-18 08:39:02 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-11-18 08:39:02 -0500 |
commit | ead4ec3089b97eda1b438da248caf76f169345ad (patch) | |
tree | 31bc22bcba4e6530b5f0daba3f332702efa7a4b9 /etc | |
parent | Consistent home directory nomenclature (diff) | |
download | firejail-ead4ec3089b97eda1b438da248caf76f169345ad.tar.gz firejail-ead4ec3089b97eda1b438da248caf76f169345ad.tar.zst firejail-ead4ec3089b97eda1b438da248caf76f169345ad.zip |
netfilter template support
Diffstat (limited to 'etc')
-rw-r--r-- | etc/tcpserver.net | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/etc/tcpserver.net b/etc/tcpserver.net new file mode 100644 index 000000000..e60404e6b --- /dev/null +++ b/etc/tcpserver.net | |||
@@ -0,0 +1,27 @@ | |||
1 | *filter | ||
2 | :INPUT DROP [0:0] | ||
3 | :FORWARD DROP [0:0] | ||
4 | :OUTPUT DROP [0:0] | ||
5 | |||
6 | ################################################################### | ||
7 | # Simple tcp filter template. $ARG1 is the port number. | ||
8 | # | ||
9 | # Usage: $ARG1 in this template is replaced by 5001 from command line below | ||
10 | # | ||
11 | # firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/tcpserver.net,5001 server-program | ||
12 | # | ||
13 | ################################################################### | ||
14 | |||
15 | # allow server traffic | ||
16 | -A INPUT -p tcp --dport $ARG1 -m state --state NEW,ESTABLISHED -j ACCEPT | ||
17 | -A OUTPUT -p tcp --sport $ARG1 -m state --state ESTABLISHED -j ACCEPT | ||
18 | |||
19 | # allow incoming ping | ||
20 | -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | ||
21 | -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT | ||
22 | |||
23 | # allow outgoing DNS | ||
24 | -A OUTPUT -p udp --dport 53 -j ACCEPT | ||
25 | -A INPUT -p udp --sport 53 -j ACCEPT | ||
26 | |||
27 | COMMIT | ||