*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] ################################################################### # Client filter rejecting local network traffic, with the exception of # DNS traffic # # Usage: # firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox # ################################################################### #allow all loopback traffic -A INPUT -i lo -j ACCEPT # no incoming connections -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # allow ping etc. -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # accept dns requests going out to a server on the local network -A OUTPUT -p udp --dport 53 -j ACCEPT # drop all local network traffic -A OUTPUT -d 192.168.0.0/16 -j DROP -A OUTPUT -d 10.0.0.0/8 -j DROP -A OUTPUT -d 172.16.0.0/12 -j DROP # drop multicast traffic -A OUTPUT -d 244.0.0.0/4 -j DROP COMMIT
distrib
>
Mageia
>
7
>
i586
>
media
>
core-release
>
by-pkgid
>
1a42680ee5b957363344592dc5ec538b
>
files
>
357
