You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Several type of programs (email clients, multiplayer games etc.) talk to a very small number of IP addresses. The best example is tor browser. It only talks to a guard node, and there are two or three more on standby in case the main one fails. During startup it contacts all of them, after that it keeps talking to the main one... for weeks!
So I put in something I would call a network locker. The browser starts up, and for about one minute firejail captures the network traffic and extracts the IP addresses. Then, it configures netfilter firewall allowing only traffic to/from this addresses. If somebody takes control of the browser using a zero-day exploit and tries to bypass tor, the firewall will drop the traffic.
It looks like this:
$ firejail --name=tor --private=~/tor-browser_en-US --netlock --net=enp3s0 ./start-tor-browser.desktop
Reading profile /etc/firejail/start-tor-browser.desktop.profile
[...]
accumulating traffic for 60 seconds
.. 46.4.66.178 217.182.196.67 ..........................................................
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -s 127.0.0.0/8 -j ACCEPT
-A OUTPUT -d 127.0.0.0/8 -j ACCEPT
-A INPUT -s 46.4.66.178 -p tcp -j ACCEPT
-A OUTPUT -d 46.4.66.178 -p tcp -j ACCEPT
-A INPUT -s 217.182.196.67 -p tcp -j ACCEPT
-A OUTPUT -d 217.182.196.67 -p tcp -j ACCEPT
COMMIT
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
firewall deployed
He got two addressees and locked the network. To set the firewall you need a network namespace (--net=eth0), use "ip addr show" or "/sbin/ifconfg" to get the name of your interface. It has been working fine for me for at least one month. Today, it just auto-updated to a new browser version through the firewall.
I didn't see it changing the guard node yet. It should happen every few weeks. I assume the change takes place at startup, so we can detect it when we set the firewall. The default network monitoring time is one minute, I'll have to make it configurable. Give it a try, and let me know what you think, thanks.
The text was updated successfully, but these errors were encountered:
A short description of what's coming.
Several type of programs (email clients, multiplayer games etc.) talk to a very small number of IP addresses. The best example is tor browser. It only talks to a guard node, and there are two or three more on standby in case the main one fails. During startup it contacts all of them, after that it keeps talking to the main one... for weeks!
So I put in something I would call a network locker. The browser starts up, and for about one minute firejail captures the network traffic and extracts the IP addresses. Then, it configures netfilter firewall allowing only traffic to/from this addresses. If somebody takes control of the browser using a zero-day exploit and tries to bypass tor, the firewall will drop the traffic.
It looks like this:
He got two addressees and locked the network. To set the firewall you need a network namespace (--net=eth0), use "ip addr show" or "/sbin/ifconfg" to get the name of your interface. It has been working fine for me for at least one month. Today, it just auto-updated to a new browser version through the firewall.
I didn't see it changing the guard node yet. It should happen every few weeks. I assume the change takes place at startup, so we can detect it when we set the firewall. The default network monitoring time is one minute, I'll have to make it configurable. Give it a try, and let me know what you think, thanks.
The text was updated successfully, but these errors were encountered: