From 018d75775eab4a0f045949a9d069c57686ca2686 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Tue, 21 Apr 2020 08:24:28 -0400
Subject: reorganize github etc directory

---
 etc/net/nolocal.net | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 etc/net/nolocal.net

(limited to 'etc/net/nolocal.net')

diff --git a/etc/net/nolocal.net b/etc/net/nolocal.net
new file mode 100644
index 000000000..8955f740d
--- /dev/null
+++ b/etc/net/nolocal.net
@@ -0,0 +1,36 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+
+###################################################################
+# Client filter rejecting local network traffic, with the exception of
+# DNS traffic
+#
+# Usage:
+#     firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox
+#
+###################################################################
+
+#allow all loopback traffic
+-A INPUT -i lo -j ACCEPT
+
+# no incoming connections
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# allow ping etc.
+-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+
+# accept dns requests going out to a server on the local network
+-A OUTPUT -p udp --dport 53 -j ACCEPT
+
+# drop all local network traffic
+-A OUTPUT -d 192.168.0.0/16 -j DROP
+-A OUTPUT -d 10.0.0.0/8 -j DROP
+-A OUTPUT -d 172.16.0.0/12 -j DROP
+
+# drop multicast traffic
+-A OUTPUT -d 244.0.0.0/4 -j DROP
+COMMIT
-- 
cgit v1.2.3-70-g09d2