https://github.com/msantos/libsockfilter
Connection filtering for dynamically linked applications
https://github.com/msantos/libsockfilter
cdb firewall ldpreload
Last synced: about 2 months ago
JSON representation
Connection filtering for dynamically linked applications
- Host: GitHub
- URL: https://github.com/msantos/libsockfilter
- Owner: msantos
- License: isc
- Created: 2019-11-03T14:24:26.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2023-07-06T10:38:12.000Z (almost 2 years ago)
- Last Synced: 2025-02-13T05:30:15.747Z (4 months ago)
- Topics: cdb, firewall, ldpreload
- Language: C
- Homepage:
- Size: 23.4 KB
- Stars: 3
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# NAME
libsockfilter - connection filtering for dynamically linked applications
# SYNOPSIS
* server
LD_PRELOAD=libsockfilter_accept.so *COMMAND* *ARG* *...*
* client
LD_PRELOAD=libsockfilter_connect.so *COMMAND* *ARG* *...*
# DESCRIPTION
An experimental library for adding connection
filtering to any dynamically linked application using
[tcprules](https://cr.yp.to/ucspi-tcp/tcprules.html) rules.
In contrast to managing a firewall, `libsockfilter` allows applications
to enforce network access without requiring any special privileges.
libsockfilter requires [libcdb](https://www.corpit.ru/mjt/tinycdb.html).
# BUILD
```
apt install libcdb-dev
apt install ucspi-tcp-ipv6 # or ucspi-tcp
make
```
# ENVIRONMENT VARIABLES
## common
`LIBSOCKFILTER_DEBUG`
: Write errors to stdout (default: disabled).
## libsockfilter_accept
`LIBSOCKFILTER_ACCEPT`
: Path to rules database. If the rules database is not accessible,
all connections are dropped.
## libsockfilter_connect
`LIBSOCKFILTER_CONNECT`
: Path to rules database. If the rules database is not accessible,
all connections are dropped.
# EXAMPLES
```
$ sudo apt install ucspi-tcp-ipv6 # or ucspi-tcp
# default is deny
# 192.168.1.1: deny specific match
# 127: deny any IP beginning with 127
# reset default to allow
cat < rules.txt
192.168.1.1:deny
127:deny
::1:deny
:allow
EOF
cat rules.txt | tcprules rules.cdb rules.cdb.tmp
LD_PRELOAD=./libsockfilter_connect.so \
LIBSOCKFILTER_CONNECT=./rules.cdb \
nc -vvv 127.0.0.1 22
LD_PRELOAD=./libsockfilter_accept.so \
LIBSOCKFILTER_ACCEPT=./rules.cdb \
nc -vvv -k -l 9999
```
## ipsum
Using [ipsum](https://github.com/stamparm/ipsum):
```
(
curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | awk '/^#/{ next } $2 ~ /^[1-2]$/{next} {print $1 ":deny"}'
echo :allow
) | tcprules rules.cdb rules.cdb.tmp
```
# SEE ALSO
*connect*(2), *accept*(2), *tcprules*(1), *hosts.allow*(5), *hosts.deny*(5)