https://github.com/the8472/ipfs-jail

wrap ipfs daemon in firejail, run as systemd service
https://github.com/the8472/ipfs-jail

Last synced: 3 months ago
JSON representation

wrap ipfs daemon in firejail, run as systemd service

• Host: GitHub
• URL: https://github.com/the8472/ipfs-jail
• Owner: the8472
• Created: 2016-01-05T01:28:15.000Z (over 9 years ago)
• Default Branch: master
• Last Pushed: 2016-01-08T16:46:01.000Z (over 9 years ago)
• Last Synced: 2025-04-01T12:52:54.048Z (3 months ago)
• Language: Go
• Size: 5.86 KB
• Stars: 1
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# ipfs-jail

systemd unit file + firejail wrapper for ipfs-daemon to launch jailed daemon as service.

Ipfs is still experimental and needs filessystem and internet access and also configurable via remote access. To sleep more soundly I prefer it to run in a sandbox.

Advantages over a docker container are out-of-the-box seccomp filtering of unneeded system calls the ability to use whichever binaries are installed on the host system instead of having to manage container images.

 

## Prerequisites

* a bridge network device (default: br0), bridged to a physical device

* a separate user (default: ipfs) with a `.ipfs/` repository in his home. a symlink will suffice

* firejail

* dhclient

* iptables

* ipfs executable in `PATH`

## Default configuration

* allows connections from/to the public internet

* blocks connections to the local lan; allows from the local lan

* rules for v4 and v6

* blacklists common directories containing private data; if you have zpools/btrfs mounted outside /media add them to the custom blacklist

optional: netfilter rules for throttling or blocking outgoing ipv4 connections to put less stress on NATs/conntrack