diff options
-rw-r--r-- | Makefile.in | 2 | ||||
-rw-r--r-- | RELNOTES | 2 | ||||
-rw-r--r-- | etc/nolocal.net | 25 | ||||
-rw-r--r-- | etc/webserver.net | 30 | ||||
-rwxr-xr-x | mketc.sh | 6 | ||||
-rw-r--r-- | platform/debian/conffiles | 4 | ||||
-rw-r--r-- | src/bash_completion/firejail.bash_completion | 4 | ||||
-rw-r--r-- | src/man/firejail.txt | 25 |
8 files changed, 96 insertions, 2 deletions
diff --git a/Makefile.in b/Makefile.in index 65f43884b..cf27248c8 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -115,6 +115,8 @@ realinstall: | |||
115 | install -c -m 0644 .etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 115 | install -c -m 0644 .etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
116 | install -c -m 0644 .etc/dnscrypt-proxy.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 116 | install -c -m 0644 .etc/dnscrypt-proxy.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
117 | install -c -m 0644 .etc/whitelist-common.inc $(DESTDIR)/$(sysconfdir)/firejail/. | 117 | install -c -m 0644 .etc/whitelist-common.inc $(DESTDIR)/$(sysconfdir)/firejail/. |
118 | install -c -m 0644 .etc/nolocal.net $(DESTDIR)/$(sysconfdir)/firejail/. | ||
119 | install -c -m 0644 .etc/webserver.net $(DESTDIR)/$(sysconfdir)/firejail/. | ||
118 | bash -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 120 | bash -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
119 | rm -fr .etc | 121 | rm -fr .etc |
120 | # man pages | 122 | # man pages |
@@ -4,6 +4,8 @@ firejail (0.9.35) baseline; urgency=low | |||
4 | * whitelist command enhancements | 4 | * whitelist command enhancements |
5 | * prevent leaking user information by modifying /home directory, | 5 | * prevent leaking user information by modifying /home directory, |
6 | /etc/passwd and /etc/group | 6 | /etc/passwd and /etc/group |
7 | * added /etc/firejail/nolocal.net network filter | ||
8 | * added /etc/firejail/webserver.net network filter | ||
7 | * bugfixes | 9 | * bugfixes |
8 | -- netblue30 <netblue30@yahoo.com> ongoing development | 10 | -- netblue30 <netblue30@yahoo.com> ongoing development |
9 | 11 | ||
diff --git a/etc/nolocal.net b/etc/nolocal.net new file mode 100644 index 000000000..9c0c6e125 --- /dev/null +++ b/etc/nolocal.net | |||
@@ -0,0 +1,25 @@ | |||
1 | *filter | ||
2 | :INPUT DROP [0:0] | ||
3 | :FORWARD DROP [0:0] | ||
4 | :OUTPUT ACCEPT [0:0] | ||
5 | |||
6 | ################################################################### | ||
7 | # Client filter rejecting local network traffic, with the exception of DNS traffic | ||
8 | # | ||
9 | # Usage: | ||
10 | # firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox | ||
11 | # | ||
12 | ################################################################### | ||
13 | |||
14 | |||
15 | -A INPUT -i lo -j ACCEPT | ||
16 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
17 | -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT | ||
18 | -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT | ||
19 | -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | ||
20 | |||
21 | -A OUTPUT -p udp --dport 53 -j ACCEPT | ||
22 | -A OUTPUT -d 192.168.0.0/16 -j DROP | ||
23 | -A OUTPUT -d 10.0.0.0/8 -j DROP | ||
24 | -A OUTPUT -d 172.16.0.0/12 -j DROP | ||
25 | COMMIT | ||
diff --git a/etc/webserver.net b/etc/webserver.net new file mode 100644 index 000000000..d165e6faf --- /dev/null +++ b/etc/webserver.net | |||
@@ -0,0 +1,30 @@ | |||
1 | *filter | ||
2 | :INPUT DROP [0:0] | ||
3 | :FORWARD DROP [0:0] | ||
4 | :OUTPUT DROP [0:0] | ||
5 | |||
6 | ################################################################### | ||
7 | # Simple webserver filter | ||
8 | # | ||
9 | # Usage: | ||
10 | # firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/apache2 start | ||
11 | # firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/nginx start | ||
12 | # | ||
13 | ################################################################### | ||
14 | |||
15 | # allow webserver traffic | ||
16 | -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT | ||
17 | -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT | ||
18 | -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT | ||
19 | -A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT | ||
20 | |||
21 | # allow incoming ping | ||
22 | -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | ||
23 | -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT | ||
24 | |||
25 | # allow outgoing DNS | ||
26 | -A OUTPUT -p udp --dport 53 -j ACCEPT | ||
27 | -A INPUT -p udp --sport 53 -j ACCEPT | ||
28 | |||
29 | COMMIT | ||
30 | |||
@@ -16,3 +16,9 @@ for file in $FILES | |||
16 | do | 16 | do |
17 | sed "s/\/etc/$result/g" $file > .$file | 17 | sed "s/\/etc/$result/g" $file > .$file |
18 | done | 18 | done |
19 | |||
20 | FILES=`ls etc/*.net` | ||
21 | for file in $FILES | ||
22 | do | ||
23 | sed "s/\/etc/$result/g" $file > .$file | ||
24 | done | ||
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index c78dab441..b000ce04d 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -41,4 +41,6 @@ | |||
41 | /etc/firejail/conkeror.profile | 41 | /etc/firejail/conkeror.profile |
42 | /etc/firejail/unbound.profile | 42 | /etc/firejail/unbound.profile |
43 | /etc/firejail/dnscrypt-proxy.profile | 43 | /etc/firejail/dnscrypt-proxy.profile |
44 | etc/whitelist-common.inc | 44 | /etc/firejail/whitelist-common.inc |
45 | /etc/firejail/nolocal.net | ||
46 | /etc/firejail/webserver.net | ||
diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion index 98ca5e7a4..21e28c98b 100644 --- a/src/bash_completion/firejail.bash_completion +++ b/src/bash_completion/firejail.bash_completion | |||
@@ -55,6 +55,10 @@ _firejail() | |||
55 | _filedir | 55 | _filedir |
56 | return 0 | 56 | return 0 |
57 | ;; | 57 | ;; |
58 | --netfilter) | ||
59 | _filedir | ||
60 | return 0 | ||
61 | ;; | ||
58 | --shell) | 62 | --shell) |
59 | _filedir | 63 | _filedir |
60 | return 0 | 64 | return 0 |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 370fce588..00abc13db 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -587,9 +587,30 @@ New network namespaces are created using \-\-net option. If a new network namesp | |||
587 | .br | 587 | .br |
588 | 588 | ||
589 | .br | 589 | .br |
590 | The following filters are available in /etc/firejail directory: | ||
591 | .br | ||
592 | |||
593 | .br | ||
594 | .B webserver.net | ||
595 | is a webserver filter that allows access only to TCP ports 80 and 443. | ||
590 | Example: | 596 | Example: |
591 | .br | 597 | .br |
592 | $ firejail \-\-net=eth0 \-\-netfilter=myfile firefox | 598 | |
599 | .br | ||
600 | $ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \\ | ||
601 | .br | ||
602 | /etc/init.d/apache2 start | ||
603 | .br | ||
604 | |||
605 | .br | ||
606 | .B nolocal.net | ||
607 | is a client filter that disable access to local network. Example: | ||
608 | .br | ||
609 | |||
610 | .br | ||
611 | $ firejail --netfilter=/etc/firejail/nolocal.net \\ | ||
612 | .br | ||
613 | --net=eth0 firefox | ||
593 | .TP | 614 | .TP |
594 | \fB\-\-netstats | 615 | \fB\-\-netstats |
595 | Monitor network namespace statistics, see MONITORING section for more details. | 616 | Monitor network namespace statistics, see MONITORING section for more details. |
@@ -598,6 +619,8 @@ Monitor network namespace statistics, see MONITORING section for more details. | |||
598 | .br | 619 | .br |
599 | Example: | 620 | Example: |
600 | .br | 621 | .br |
622 | |||
623 | .br | ||
601 | $ firejail \-\-netstats | 624 | $ firejail \-\-netstats |
602 | .br | 625 | .br |
603 | PID User RX(KB/s) TX(KB/s) Command | 626 | PID User RX(KB/s) TX(KB/s) Command |