-
Notifications
You must be signed in to change notification settings - Fork 558
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
--netlock #4848
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
A short description of what's coming.
Several type of programs (email clients, multiplayer games etc.) talk to a very small number of IP addresses. The best example is tor browser. It only talks to a guard node, and there are two or three more on standby in case the main one fails. During startup it contacts all of them, after that it keeps talking to the main one... for weeks!
So I put in something I would call a network locker. The browser starts up, and for about one minute firejail captures the network traffic and extracts the IP addresses. Then, it configures netfilter firewall allowing only traffic to/from this addresses. If somebody takes control of the browser using a zero-day exploit and tries to bypass tor, the firewall will drop the traffic.
It looks like this:
He got two addressees and locked the network. To set the firewall you need a network namespace (--net=eth0), use "ip addr show" or "/sbin/ifconfg" to get the name of your interface. It has been working fine for me for at least one month. Today, it just auto-updated to a new browser version through the firewall.
I didn't see it changing the guard node yet. It should happen every few weeks. I assume the change takes place at startup, so we can detect it when we set the firewall. The default network monitoring time is one minute, I'll have to make it configurable. Give it a try, and let me know what you think, thanks.
The text was updated successfully, but these errors were encountered: