From a039bce14d634e891a670202047b0be674e5d547 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Fri, 20 Nov 2015 16:50:29 -0500
Subject: added webserver.net and nolocal.net network filters

---
 etc/nolocal.net | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 etc/nolocal.net

(limited to 'etc/nolocal.net')

diff --git a/etc/nolocal.net b/etc/nolocal.net
new file mode 100644
index 000000000..9c0c6e125
--- /dev/null
+++ b/etc/nolocal.net
@@ -0,0 +1,25 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+
+###################################################################
+# Client filter rejecting local network traffic, with the exception of DNS traffic
+#
+# Usage:
+#     firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox
+#
+###################################################################
+
+
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+
+-A OUTPUT -p udp --dport 53 -j ACCEPT
+-A OUTPUT -d 192.168.0.0/16 -j DROP
+-A OUTPUT -d 10.0.0.0/8 -j DROP
+-A OUTPUT -d 172.16.0.0/12 -j DROP
+COMMIT
-- 
cgit v1.2.3-54-g00ecf