github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6
firejail/etc/net/nolocal6.net

42 lines
1.4 KiB
Text
Raw Blame History

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
###################################################################
# Client filter rejecting local network traffic, with the exception of
# DNS traffic
#
# Usage:
# firejail --net=eth0 --netfilter6=/etc/firejail/nolocal6.net firefox
#
###################################################################
#allow all loopback traffic
-A INPUT -i lo -j ACCEPT
# no incoming connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# allow ping etc.
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type destination-unreachable -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -j ACCEPT
# required for ipv6
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j ACCEPT
# accept dns requests going out to a server on the local network
-A OUTPUT -p udp --dport 53 -j ACCEPT
# drop all local network traffic
-A OUTPUT -d FC00::/7 -j DROP
-A OUTPUT -d fe80::/10 -j DROP
# drop multicast traffic
# required for ipv6
-A OUTPUT -d ff02::2 -j ACCEPT
-A OUTPUT -d ff00::/8 -j DROP
COMMIT
Reference in a new issue View git blame Copy permalink