diff options
author | netblue30 <netblue30@yahoo.com> | 2015-11-20 16:50:29 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-11-20 16:50:29 -0500 |
commit | a039bce14d634e891a670202047b0be674e5d547 (patch) | |
tree | a6f11ab356bce247dcf80bc0231c5a694aa53a9e /etc | |
parent | testing (diff) | |
download | firejail-a039bce14d634e891a670202047b0be674e5d547.tar.gz firejail-a039bce14d634e891a670202047b0be674e5d547.tar.zst firejail-a039bce14d634e891a670202047b0be674e5d547.zip |
added webserver.net and nolocal.net network filters
Diffstat (limited to 'etc')
-rw-r--r-- | etc/nolocal.net | 25 | ||||
-rw-r--r-- | etc/webserver.net | 30 |
2 files changed, 55 insertions, 0 deletions
diff --git a/etc/nolocal.net b/etc/nolocal.net new file mode 100644 index 000000000..9c0c6e125 --- /dev/null +++ b/etc/nolocal.net | |||
@@ -0,0 +1,25 @@ | |||
1 | *filter | ||
2 | :INPUT DROP [0:0] | ||
3 | :FORWARD DROP [0:0] | ||
4 | :OUTPUT ACCEPT [0:0] | ||
5 | |||
6 | ################################################################### | ||
7 | # Client filter rejecting local network traffic, with the exception of DNS traffic | ||
8 | # | ||
9 | # Usage: | ||
10 | # firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox | ||
11 | # | ||
12 | ################################################################### | ||
13 | |||
14 | |||
15 | -A INPUT -i lo -j ACCEPT | ||
16 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
17 | -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT | ||
18 | -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT | ||
19 | -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | ||
20 | |||
21 | -A OUTPUT -p udp --dport 53 -j ACCEPT | ||
22 | -A OUTPUT -d 192.168.0.0/16 -j DROP | ||
23 | -A OUTPUT -d 10.0.0.0/8 -j DROP | ||
24 | -A OUTPUT -d 172.16.0.0/12 -j DROP | ||
25 | COMMIT | ||
diff --git a/etc/webserver.net b/etc/webserver.net new file mode 100644 index 000000000..d165e6faf --- /dev/null +++ b/etc/webserver.net | |||
@@ -0,0 +1,30 @@ | |||
1 | *filter | ||
2 | :INPUT DROP [0:0] | ||
3 | :FORWARD DROP [0:0] | ||
4 | :OUTPUT DROP [0:0] | ||
5 | |||
6 | ################################################################### | ||
7 | # Simple webserver filter | ||
8 | # | ||
9 | # Usage: | ||
10 | # firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/apache2 start | ||
11 | # firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/nginx start | ||
12 | # | ||
13 | ################################################################### | ||
14 | |||
15 | # allow webserver traffic | ||
16 | -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT | ||
17 | -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT | ||
18 | -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT | ||
19 | -A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT | ||
20 | |||
21 | # allow incoming ping | ||
22 | -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | ||
23 | -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT | ||
24 | |||
25 | # allow outgoing DNS | ||
26 | -A OUTPUT -p udp --dport 53 -j ACCEPT | ||
27 | -A INPUT -p udp --sport 53 -j ACCEPT | ||
28 | |||
29 | COMMIT | ||
30 | |||