Examples
Allow all network connections
Allows all network communications and monitors their connections.
network:
mode: monitor
target: host
cidr:
allow: ['0.0.0.0/0']
Block specify Private Networks
Block access to 192.168.1.1/24
and 10.0.1.1/24
.
network:
mode: block
target: host
cidr:
allow: ['0.0.0.0/0']
deny:
- 192.168.1.1/24
- 10.0.1.1/24
Block Metadata service API
Block access to the public cloud Metadata Service. This is a mitigation measure against SSRF, etc.
network:
mode: block
target: host
cidr:
allow: ['0.0.0.0/0']
deny:
- 169.254.169.254/32
Block connections to the specified domain
Block connections to example.com
. bouheki periodically looks up IP addresses, so it keeps up with IP address changes.
network:
mode: block
target: host
cidr:
allow: ['0.0.0.0/0']
domain:
deny:
- example.com
Block network connections of containers
Allow communication from the host, but block communication from the containers.
network:
mode: block
target: container
cidr:
allow: ['0.0.0.0/0']
domain:
deny:
- example.com
Example
vagrant@ubuntu-impish:~$ curl -I https://example.com
HTTP/2 200
vagrant@ubuntu-impish:~$ sudo docker run --rm -it curlimages/curl https://example.com
curl: (7) Couldn't connect to server
Block all connections from curl
network:
mode: monitor
target: container
cidr:
allow: ['0.0.0.0/0']
command:
deny: ['curl']
Example
vagrant@ubuntu-impish:~$ curl -I https://example.com
curl: (6) Could not resolve host: example.com
vagrant@ubuntu-impish:~$ wget https://example.com -O /dev/null
--2022-03-09 14:45:11-- http://example.com/
Resolving example.com (example.com)... 93.184.216.34
Connecting to example.com (example.com)|93.184.216.34|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1256 (1.2K) [text/html]
Saving to: ‘/dev/null’
/dev/null 100%[============================>] 1.23K --.-KB/s in 0s
2022-03-09 14:45:12 (70.1 MB/s) - ‘/dev/null’ saved [1256/1256]
Block all connections by users with UID 1000
Setting that blocks all network access for UID 1000 user, but does not apply restrictions to UID 0 (root).
network:
mode: monitor
target: container
cidr:
allow: ['0.0.0.0/0']
uid:
allow: [0]
deny: [1000]
Example
vagrant@ubuntu-impish:~$ id
uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant)
vagrant@ubuntu-impish:~$ curl -I https://example.com
curl: (6) Could not resolve host: example.com
vagrant@ubuntu-impish:~$ sudo curl -I https://example.com
HTTP/2 200