added webserver.net and nolocal.net network filters

2026-05-21 06:45:29 -06:00 · 2015-11-20 16:50:29 -05:00 · 2015-11-20 16:50:29 -05:00 · a039bce14d
commit a039bce14d
parent e4f67ae2fb
8 changed files with 96 additions and 2 deletions
--- a/Makefile.in
+++ b/Makefile.in
@ -115,6 +115,8 @@ realinstall:
 	install -c -m 0644 .etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/.
 	install -c -m 0644 .etc/dnscrypt-proxy.profile $(DESTDIR)/$(sysconfdir)/firejail/.
 	install -c -m 0644 .etc/whitelist-common.inc $(DESTDIR)/$(sysconfdir)/firejail/.
+	install -c -m 0644 .etc/nolocal.net $(DESTDIR)/$(sysconfdir)/firejail/.
+	install -c -m 0644 .etc/webserver.net $(DESTDIR)/$(sysconfdir)/firejail/.
 	bash -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
 	rm -fr .etc
 	# man pages
--- a/2
+++ b/2
@ -4,6 +4,8 @@ firejail (0.9.35) baseline; urgency=low
  * whitelist command enhancements
  * prevent leaking user information by modifying /home directory,
          /etc/passwd and /etc/group
+  * added /etc/firejail/nolocal.net network filter
+  * added /etc/firejail/webserver.net network filter
  * bugfixes
 -- netblue30 <netblue30@yahoo.com>  ongoing development

--- a/etc/nolocal.net
+++ b/etc/nolocal.net
@ -0,0 +1,25 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+
+###################################################################
+# Client filter rejecting local network traffic, with the exception of DNS traffic
+#
+# Usage:
+#     firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox
+#
+###################################################################
+
+
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+
+-A OUTPUT -p udp --dport 53 -j ACCEPT
+-A OUTPUT -d 192.168.0.0/16 -j DROP
+-A OUTPUT -d 10.0.0.0/8 -j DROP
+-A OUTPUT -d 172.16.0.0/12 -j DROP
+COMMIT
--- a/etc/webserver.net
+++ b/etc/webserver.net
@ -0,0 +1,30 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+
+###################################################################
+# Simple webserver filter
+#
+# Usage:
+#   firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/apache2 start
+#   firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/nginx start
+#
+###################################################################
+
+# allow webserver traffic
+-A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
+-A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
+
+# allow incoming ping
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
+
+# allow outgoing DNS
+-A OUTPUT -p udp --dport 53 -j ACCEPT
+-A INPUT -p udp --sport 53 -j ACCEPT
+
+COMMIT
+
--- a/mketc.sh
+++ b/mketc.sh
@ -16,3 +16,9 @@ for file in $FILES
 do
 	sed "s/\/etc/$result/g" $file > .$file
 done
+
+FILES=`ls etc/*.net`
+for file in $FILES
+do
+	sed "s/\/etc/$result/g" $file > .$file
+done
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@ -41,4 +41,6 @@
 /etc/firejail/conkeror.profile
 /etc/firejail/unbound.profile
 /etc/firejail/dnscrypt-proxy.profile
-etc/whitelist-common.inc
+/etc/firejail/whitelist-common.inc
+/etc/firejail/nolocal.net
+/etc/firejail/webserver.net
--- a/src/bash_completion/firejail.bash_completion
+++ b/src/bash_completion/firejail.bash_completion
@ -55,6 +55,10 @@ _firejail()
            _filedir
            return 0
            ;;
+        --netfilter)
+            _filedir
+            return 0
+            ;;
        --shell)
            _filedir
            return 0
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@ -587,9 +587,30 @@ New network namespaces are created using \-\-net option. If a new network namesp
 .br

 .br
+The following filters are available in /etc/firejail directory:
+.br
+
+.br
+.B webserver.net
+is a webserver filter that allows access only to TCP ports 80 and 443.
 Example:
 .br
-$ firejail \-\-net=eth0 \-\-netfilter=myfile firefox
+
+.br
+$ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \\
+.br
+/etc/init.d/apache2 start
+.br
+
+.br
+.B nolocal.net
+is a client filter that disable access to local network. Example:
+.br
+
+.br
+$ firejail --netfilter=/etc/firejail/nolocal.net \\
+.br
+--net=eth0 firefox
 .TP
 \fB\-\-netstats
 Monitor network namespace statistics, see MONITORING section for more details.
@ -597,6 +618,8 @@ Monitor network namespace statistics, see MONITORING section for more details.

 .br
 Example:
+.br
+
 .br
 $ firejail \-\-netstats
 .br