diff options
-rw-r--r-- | etc/nolocal.net | 12 | ||||
-rw-r--r-- | src/firejail/netfilter.c | 4 | ||||
-rw-r--r-- | src/firejail/sbox.c | 9 |
3 files changed, 14 insertions, 11 deletions
diff --git a/etc/nolocal.net b/etc/nolocal.net index 9fa785450..8955f740d 100644 --- a/etc/nolocal.net +++ b/etc/nolocal.net | |||
@@ -12,15 +12,25 @@ | |||
12 | # | 12 | # |
13 | ################################################################### | 13 | ################################################################### |
14 | 14 | ||
15 | 15 | #allow all loopback traffic | |
16 | -A INPUT -i lo -j ACCEPT | 16 | -A INPUT -i lo -j ACCEPT |
17 | |||
18 | # no incoming connections | ||
17 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | 19 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
20 | |||
21 | # allow ping etc. | ||
18 | -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT | 22 | -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT |
19 | -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT | 23 | -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT |
20 | -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | 24 | -A INPUT -p icmp --icmp-type echo-request -j ACCEPT |
21 | 25 | ||
26 | # accept dns requests going out to a server on the local network | ||
22 | -A OUTPUT -p udp --dport 53 -j ACCEPT | 27 | -A OUTPUT -p udp --dport 53 -j ACCEPT |
28 | |||
29 | # drop all local network traffic | ||
23 | -A OUTPUT -d 192.168.0.0/16 -j DROP | 30 | -A OUTPUT -d 192.168.0.0/16 -j DROP |
24 | -A OUTPUT -d 10.0.0.0/8 -j DROP | 31 | -A OUTPUT -d 10.0.0.0/8 -j DROP |
25 | -A OUTPUT -d 172.16.0.0/12 -j DROP | 32 | -A OUTPUT -d 172.16.0.0/12 -j DROP |
33 | |||
34 | # drop multicast traffic | ||
35 | -A OUTPUT -d 244.0.0.0/4 -j DROP | ||
26 | COMMIT | 36 | COMMIT |
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index cb0d9d7af..7246be8cf 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -98,7 +98,7 @@ void netfilter(const char *fname) { | |||
98 | 98 | ||
99 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter | 99 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter |
100 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules | 100 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules |
101 | sbox_run(SBOX_ROOT /* | SBOX_CAPS_NETWORK | SBOX_SECCOMP*/ | SBOX_STDIN_FROM_FILE, 1, iptables_restore); | 101 | sbox_run(SBOX_ROOT | SBOX_STDIN_FROM_FILE, 1, iptables_restore); |
102 | unlink(SBOX_STDIN_FILE); | 102 | unlink(SBOX_STDIN_FILE); |
103 | 103 | ||
104 | // debug | 104 | // debug |
@@ -147,7 +147,7 @@ void netfilter6(const char *fname) { | |||
147 | 147 | ||
148 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter | 148 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter |
149 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules | 149 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules |
150 | sbox_run(SBOX_ROOT | /* SBOX_CAPS_NETWORK | SBOX_SECCOMP | */ SBOX_STDIN_FROM_FILE, 1, ip6tables_restore); | 150 | sbox_run(SBOX_ROOT | SBOX_STDIN_FROM_FILE, 1, ip6tables_restore); |
151 | unlink(SBOX_STDIN_FILE); | 151 | unlink(SBOX_STDIN_FILE); |
152 | 152 | ||
153 | // debug | 153 | // debug |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 1d6cc2353..274a4353f 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -104,13 +104,6 @@ static struct sock_fprog prog = { | |||
104 | .filter = filter, | 104 | .filter = filter, |
105 | }; | 105 | }; |
106 | 106 | ||
107 | typedef struct sbox_config { | ||
108 | char *name; | ||
109 | char *path; | ||
110 | unsigned filters; | ||
111 | } SboxConfig; | ||
112 | |||
113 | |||
114 | int sbox_run(unsigned filter, int num, ...) { | 107 | int sbox_run(unsigned filter, int num, ...) { |
115 | EUID_ROOT(); | 108 | EUID_ROOT(); |
116 | 109 | ||
@@ -142,7 +135,7 @@ int sbox_run(unsigned filter, int num, ...) { | |||
142 | if (filter & SBOX_STDIN_FROM_FILE) { | 135 | if (filter & SBOX_STDIN_FROM_FILE) { |
143 | int fd; | 136 | int fd; |
144 | if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) { | 137 | if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) { |
145 | fprintf(stderr,"Error: cannot open /tmp/netfilter\n"); | 138 | fprintf(stderr,"Error: cannot open %s\n", SBOX_STDIN_FILE); |
146 | exit(1); | 139 | exit(1); |
147 | } | 140 | } |
148 | dup2(fd,STDIN_FILENO); | 141 | dup2(fd,STDIN_FILENO); |