From a039bce14d634e891a670202047b0be674e5d547 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 20 Nov 2015 16:50:29 -0500 Subject: [PATCH] added webserver.net and nolocal.net network filters --- Makefile.in | 2 ++ RELNOTES | 2 ++ etc/nolocal.net | 25 ++++++++++++++++ etc/webserver.net | 30 ++++++++++++++++++++ mketc.sh | 6 ++++ platform/debian/conffiles | 4 ++- src/bash_completion/firejail.bash_completion | 4 +++ src/man/firejail.txt | 25 +++++++++++++++- 8 files changed, 96 insertions(+), 2 deletions(-) create mode 100644 etc/nolocal.net create mode 100644 etc/webserver.net diff --git a/Makefile.in b/Makefile.in index 65f43884b..cf27248c8 100644 --- a/Makefile.in +++ b/Makefile.in @@ -115,6 +115,8 @@ realinstall: install -c -m 0644 .etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/dnscrypt-proxy.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/whitelist-common.inc $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/nolocal.net $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/webserver.net $(DESTDIR)/$(sysconfdir)/firejail/. bash -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" rm -fr .etc # man pages diff --git a/RELNOTES b/RELNOTES index a11674bab..d8dec685e 100644 --- a/RELNOTES +++ b/RELNOTES @@ -4,6 +4,8 @@ firejail (0.9.35) baseline; urgency=low * whitelist command enhancements * prevent leaking user information by modifying /home directory, /etc/passwd and /etc/group + * added /etc/firejail/nolocal.net network filter + * added /etc/firejail/webserver.net network filter * bugfixes -- netblue30 ongoing development diff --git a/etc/nolocal.net b/etc/nolocal.net new file mode 100644 index 000000000..9c0c6e125 --- /dev/null +++ b/etc/nolocal.net @@ -0,0 +1,25 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] + +################################################################### +# Client filter rejecting local network traffic, with the exception of DNS traffic +# +# Usage: +# firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox +# +################################################################### + + +-A INPUT -i lo -j ACCEPT +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT +-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT +-A INPUT -p icmp --icmp-type echo-request -j ACCEPT + +-A OUTPUT -p udp --dport 53 -j ACCEPT +-A OUTPUT -d 192.168.0.0/16 -j DROP +-A OUTPUT -d 10.0.0.0/8 -j DROP +-A OUTPUT -d 172.16.0.0/12 -j DROP +COMMIT diff --git a/etc/webserver.net b/etc/webserver.net new file mode 100644 index 000000000..d165e6faf --- /dev/null +++ b/etc/webserver.net @@ -0,0 +1,30 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] + +################################################################### +# Simple webserver filter +# +# Usage: +# firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/apache2 start +# firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/nginx start +# +################################################################### + +# allow webserver traffic +-A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT + +# allow incoming ping +-A INPUT -p icmp --icmp-type echo-request -j ACCEPT +-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT + +# allow outgoing DNS +-A OUTPUT -p udp --dport 53 -j ACCEPT +-A INPUT -p udp --sport 53 -j ACCEPT + +COMMIT + diff --git a/mketc.sh b/mketc.sh index 7b86a69e4..baca7c12e 100755 --- a/mketc.sh +++ b/mketc.sh @@ -16,3 +16,9 @@ for file in $FILES do sed "s/\/etc/$result/g" $file > .$file done + +FILES=`ls etc/*.net` +for file in $FILES +do + sed "s/\/etc/$result/g" $file > .$file +done diff --git a/platform/debian/conffiles b/platform/debian/conffiles index c78dab441..b000ce04d 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -41,4 +41,6 @@ /etc/firejail/conkeror.profile /etc/firejail/unbound.profile /etc/firejail/dnscrypt-proxy.profile -etc/whitelist-common.inc +/etc/firejail/whitelist-common.inc +/etc/firejail/nolocal.net +/etc/firejail/webserver.net diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion index 98ca5e7a4..21e28c98b 100644 --- a/src/bash_completion/firejail.bash_completion +++ b/src/bash_completion/firejail.bash_completion @@ -55,6 +55,10 @@ _firejail() _filedir return 0 ;; + --netfilter) + _filedir + return 0 + ;; --shell) _filedir return 0 diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 370fce588..00abc13db 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -587,9 +587,30 @@ New network namespaces are created using \-\-net option. If a new network namesp .br .br +The following filters are available in /etc/firejail directory: +.br + +.br +.B webserver.net +is a webserver filter that allows access only to TCP ports 80 and 443. Example: .br -$ firejail \-\-net=eth0 \-\-netfilter=myfile firefox + +.br +$ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \\ +.br +/etc/init.d/apache2 start +.br + +.br +.B nolocal.net +is a client filter that disable access to local network. Example: +.br + +.br +$ firejail --netfilter=/etc/firejail/nolocal.net \\ +.br +--net=eth0 firefox .TP \fB\-\-netstats Monitor network namespace statistics, see MONITORING section for more details. @@ -597,6 +618,8 @@ Monitor network namespace statistics, see MONITORING section for more details. .br Example: +.br + .br $ firejail \-\-netstats .br