added webserver.net and nolocal.net network filters

netblue30 · Nov 20, 2015 · a039bce · a039bce
1 parent e4f67ae
commit a039bce
Show file tree

Hide file tree

Showing 8 changed files with 96 additions and 2 deletions.
diff --git a/Makefile.in b/Makefile.in
@@ -115,6 +115,8 @@ realinstall:
 	install -c -m 0644 .etc/unbound.profile $(DESTDIR)/$(sysconfdir)/firejail/.
 	install -c -m 0644 .etc/dnscrypt-proxy.profile $(DESTDIR)/$(sysconfdir)/firejail/.
 	install -c -m 0644 .etc/whitelist-common.inc $(DESTDIR)/$(sysconfdir)/firejail/.
+	install -c -m 0644 .etc/nolocal.net $(DESTDIR)/$(sysconfdir)/firejail/.
+	install -c -m 0644 .etc/webserver.net $(DESTDIR)/$(sysconfdir)/firejail/.
 	bash -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
 	rm -fr .etc
 	# man pages

diff --git a/RELNOTES b/RELNOTES
@@ -4,6 +4,8 @@ firejail (0.9.35) baseline; urgency=low
   * whitelist command enhancements
   * prevent leaking user information by modifying /home directory,
           /etc/passwd and /etc/group
+  * added /etc/firejail/nolocal.net network filter
+  * added /etc/firejail/webserver.net network filter
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  ongoing development
 

diff --git a/etc/nolocal.net b/etc/nolocal.net
@@ -0,0 +1,25 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+
+###################################################################
+# Client filter rejecting local network traffic, with the exception of DNS traffic
+#
+# Usage:
+#     firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox
+#
+###################################################################
+
+
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+
+-A OUTPUT -p udp --dport 53 -j ACCEPT
+-A OUTPUT -d 192.168.0.0/16 -j DROP
+-A OUTPUT -d 10.0.0.0/8 -j DROP
+-A OUTPUT -d 172.16.0.0/12 -j DROP
+COMMIT
diff --git a/etc/webserver.net b/etc/webserver.net
@@ -0,0 +1,30 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+
+###################################################################
+# Simple webserver filter
+#
+# Usage:
+#   firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/apache2 start
+#   firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/nginx start
+#
+###################################################################
+
+# allow webserver traffic
+-A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
+-A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
+
+# allow incoming ping
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
+
+# allow outgoing DNS
+-A OUTPUT -p udp --dport 53 -j ACCEPT
+-A INPUT -p udp --sport 53 -j ACCEPT
+
+COMMIT
+
diff --git a/mketc.sh b/mketc.sh
@@ -16,3 +16,9 @@ for file in $FILES
 do
 	sed "s/\/etc/$result/g" $file > .$file
 done
+
+FILES=`ls etc/*.net`
+for file in $FILES
+do
+	sed "s/\/etc/$result/g" $file > .$file
+done
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
@@ -41,4 +41,6 @@
 /etc/firejail/conkeror.profile
 /etc/firejail/unbound.profile
 /etc/firejail/dnscrypt-proxy.profile
-etc/whitelist-common.inc
+/etc/firejail/whitelist-common.inc
+/etc/firejail/nolocal.net
+/etc/firejail/webserver.net
diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion
@@ -55,6 +55,10 @@ _firejail()
             _filedir
             return 0
             ;;
+        --netfilter)
+            _filedir
+            return 0
+            ;;
         --shell)
             _filedir
             return 0

diff --git a/src/man/firejail.txt b/src/man/firejail.txt
@@ -587,16 +587,39 @@ New network namespaces are created using \-\-net option. If a new network namesp
 .br
 
 .br
+The following filters are available in /etc/firejail directory:
+.br
+
+.br
+.B webserver.net
+is a webserver filter that allows access only to TCP ports 80 and 443.
 Example:
 .br
-$ firejail \-\-net=eth0 \-\-netfilter=myfile firefox
+
+.br
+$ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \\
+.br
+/etc/init.d/apache2 start
+.br
+
+.br
+.B nolocal.net
+is a client filter that disable access to local network. Example:
+.br
+
+.br
+$ firejail --netfilter=/etc/firejail/nolocal.net \\
+.br
+--net=eth0 firefox
 .TP
 \fB\-\-netstats
 Monitor network namespace statistics, see MONITORING section for more details.
 .br
 
 .br
 Example:
+.br
+
 .br
 $ firejail \-\-netstats
 .br