netfilter template support

author: netblue30 <netblue30@yahoo.com> 2017-11-18 08:39:02 -0500
committer: netblue30 <netblue30@yahoo.com> 2017-11-18 08:39:02 -0500
commit: ead4ec3089b97eda1b438da248caf76f169345ad (patch)
tree: 31bc22bcba4e6530b5f0daba3f332702efa7a4b9 /etc
parent: Consistent home directory nomenclature (diff)
download: firejail-ead4ec3089b97eda1b438da248caf76f169345ad.tar.gz
firejail-ead4ec3089b97eda1b438da248caf76f169345ad.tar.zst
firejail-ead4ec3089b97eda1b438da248caf76f169345ad.zip
1 files changed, 27 insertions, 0 deletions
diff --git a/etc/tcpserver.net b/etc/tcpserver.net
new file mode 100644
index 000000000..e60404e6b
--- /dev/null
+++ b/etc/tcpserver.net
@@ -0,0 +1,27 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+###################################################################
+# Simple tcp filter template. $ARG1 is the port number.
+#
+# Usage:  $ARG1 in this template is replaced by 5001 from command line below
+#
+#   firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/tcpserver.net,5001 server-program
+#      
+###################################################################
+# allow server traffic
+-A INPUT -p tcp --dport $ARG1 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp --sport $ARG1 -m state --state ESTABLISHED -j ACCEPT
+# allow incoming ping
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
+# allow outgoing DNS
+-A OUTPUT -p udp --dport 53 -j ACCEPT
+-A INPUT -p udp --sport 53 -j ACCEPT
+COMMIT
author	netblue30 <netblue30@yahoo.com>	2017-11-18 08:39:02 -0500
committer	netblue30 <netblue30@yahoo.com>	2017-11-18 08:39:02 -0500
commit	ead4ec3089b97eda1b438da248caf76f169345ad (patch)
tree	31bc22bcba4e6530b5f0daba3f332702efa7a4b9 /etc
parent	Consistent home directory nomenclature (diff)
download	firejail-ead4ec3089b97eda1b438da248caf76f169345ad.tar.gz firejail-ead4ec3089b97eda1b438da248caf76f169345ad.tar.zst firejail-ead4ec3089b97eda1b438da248caf76f169345ad.zip

diff --git a/etc/tcpserver.net b/etc/tcpserver.net new file mode 100644 index 000000000..e60404e6b --- /dev/null +++ b/etc/tcpserver.net
@@ -0,0 +1,27 @@
	1	*filter
	2	:INPUT DROP [0:0]
	3	:FORWARD DROP [0:0]
	4	:OUTPUT DROP [0:0]
	5
	6	###################################################################
	7	# Simple tcp filter template. $ARG1 is the port number.
	8	#
	9	# Usage: $ARG1 in this template is replaced by 5001 from command line below
	10	#
	11	# firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/tcpserver.net,5001 server-program
	12	#
	13	###################################################################
	14
	15	# allow server traffic
	16	-A INPUT -p tcp --dport $ARG1 -m state --state NEW,ESTABLISHED -j ACCEPT
	17	-A OUTPUT -p tcp --sport $ARG1 -m state --state ESTABLISHED -j ACCEPT
	18
	19	# allow incoming ping
	20	-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
	21	-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
	22
	23	# allow outgoing DNS
	24	-A OUTPUT -p udp --dport 53 -j ACCEPT
	25	-A INPUT -p udp --sport 53 -j ACCEPT
	26
	27	COMMIT