-
Notifications
You must be signed in to change notification settings - Fork 556
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
profile for building software and running test suites ? #842
Comments
This came up on the debian-devel list btw: |
I tried |
@netblue30 The feature request here is something like --tracelog, but for network access. |
I guess something like that could be achieved with iptables and the LOG target. |
Something like this should work, though it doesn't reach the kernel log (outside of firejail the rules are working). Edit: Oww, LOG has been disabled in containers inside the kernel: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=69b34fb996b2eee3970548cf6eb516d3ecb5eeed |
You can set up a bridge:
Disable routing, so traffic on 10.10.20.1/24 network doesn't escape outside:
Start Wireshark and monitor br0 interface, and start the sandbox:
The first ARP in the trace is the sandbox grabbing an IP address, you'll get also some ipv6 traffic as the sandbox is starting up. If you find a way to log the traffic automatically, I'll add it in. |
I've just discovered that Linux 4.11 allows network namespace iptables logging. I've been looking for this type of functionality for quite a long time now, but I've finally figured it out. First, enable it: /etc/iptables/logdeny.rules:
Launch the namespace: Run a test: Kill the command, then check your kernel logs (dmesg or journalctl):
With this setup you can deny all traffic and log all outbound attempts. Another great use case is whitelisting specific IP addresses (and/or ports) for specific programs, and logging all packets dropped by the whitelist. I also wrote a script which pipes blocked packets into desktop notifications.
My dream of logging dropped packets using Firejail's netfilter is complete :) |
Typical usage:
firejail debuild
,firejail sbuild
,firejail git-buildpackage
...it should only allow networking on loopback interface, and shout loudly if there's anything trying to access internet.
The text was updated successfully, but these errors were encountered: