diff options
-rw-r--r-- | etc/net/nolocal6.net | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/etc/net/nolocal6.net b/etc/net/nolocal6.net new file mode 100644 index 000000000..5a6678d03 --- /dev/null +++ b/etc/net/nolocal6.net | |||
@@ -0,0 +1,41 @@ | |||
1 | *filter | ||
2 | :INPUT DROP [0:0] | ||
3 | :FORWARD DROP [0:0] | ||
4 | :OUTPUT ACCEPT [0:0] | ||
5 | |||
6 | ################################################################### | ||
7 | # Client filter rejecting local network traffic, with the exception of | ||
8 | # DNS traffic | ||
9 | # | ||
10 | # Usage: | ||
11 | # firejail --net=eth0 --netfilter6=/etc/firejail/nolocal6.net firefox | ||
12 | # | ||
13 | ################################################################### | ||
14 | |||
15 | #allow all loopback traffic | ||
16 | -A INPUT -i lo -j ACCEPT | ||
17 | |||
18 | # no incoming connections | ||
19 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
20 | |||
21 | # allow ping etc. | ||
22 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT | ||
23 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type time-exceeded -j ACCEPT | ||
24 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT | ||
25 | # required for ipv6 | ||
26 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT | ||
27 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT | ||
28 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -j ACCEPT | ||
29 | -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j ACCEPT | ||
30 | |||
31 | # accept dns requests going out to a server on the local network | ||
32 | -A OUTPUT -p udp --dport 53 -j ACCEPT | ||
33 | |||
34 | # drop all local network traffic | ||
35 | -A OUTPUT -d FC00::/7 -j DROP | ||
36 | |||
37 | # drop multicast traffic | ||
38 | # required for ipv6 | ||
39 | -A OUTPUT -d ff02::2 -j ACCEPT | ||
40 | -A OUTPUT -d ff00::/8 -j DROP | ||
41 | COMMIT | ||