Network Policy Plugin¶
The Network Policy Plugin allows users to define and enforce traffic policies based on CIDRs (IP ranges) and domain resolutions. It supports advanced configurations for alerting, enforcing, and bypassing traffic rules, ensuring flexible network control.
Jibril execution:
sudo -E jibril --log-level info --extension config --extension data --extension jibril --plugin jibril:hold --printer jibril:printers:stdout
Enable the Network Policy Plugin:
--plugin jibril:netpolicy:file=/path/to/policy.yaml
Enable the alert events:
... --event jibril:netpolicy:dropip --event jibril:netpolicy:dropdomain
in case alert or both modes are enabled.
Configuration Example¶
#
# Alert and deny all traffic by default, allowing only declared domains to be resolved.
#
network_policy:
#
# The CIDR mode and policy define the IP address policy. Users can choose to block,
# alert, enforce, or bypass traffic based on CIDR rules.
#
# * "cidr_mode":
#
# - "bypass": Allow all traffic.
# - "alert": Alert on denied traffic to CIDRs or domains.
# - "enforce": Block denied traffic to CIDRs or domains.
# - "both": Alert and block denied traffic to CIDRs or domains.
#
# * "cidr_policy":
#
# - "allow": Allow traffic to CIDRs or domains by default.
# - "deny": Block traffic to CIDRs or domains by default.
#
# As an example, the user might have a default "cidr_policy" set to "deny" and allow all
# IPs with "cidr" set to "0.0.0.0/0". Then, the user might block an IP with a higher
# prefix length, such as "9.9.9.9/32".
#
cidr_mode: "both"
cidr_policy: "allow"
#
# The RESOLVE mode and policy define the domain resolution policy. Users can block
# specific domains from being resolved or allow them with alerts.
#
# For example, if "resolve_mode" is set to "bypass" but a domain is declared as denied,
# the resolution will be allowed, but the resolved IPs will be blocked.
#
# When "resolve_mode" is enabled (alert, enforce, or both), "resolve_policy" determines
# whether the resolution should be allowed or denied by default.
#
# 1. To be alerted on denied domain resolutions, set "resolve_mode" to "alert" and
# "resolve_policy" to "deny". You may still block IPs resolved from specific domains.
#
# 2. To block the resolution of denied domains, set "resolve_mode" to "enforce"
# and "resolve_policy" to "deny". Be aware that if "mode" is set to "bypass", the
# resolution will be disallwed, but direct IP connections to the domain will
# still be allowed.
#
# * "resolve_mode":
#
# - "bypass": Allow all domains to be resolved.
# - "alert": Alert on denied domain resolutions.
# - "enforce": Block the resolution of denied domains.
# - "both": Alert and block the resolution of denied domains.
#
# * "resolve_policy":
#
# - "allow": Allow domain resolution by default.
# - "deny": Block domain resolution by default.
#
# NOTE: domain rules exist independently of "resolve_mode". If a domain is declared
# as "deny", its resolved IPs won't be reachable, regardless of "resolve_mode",
# which only controls the resolution process.
#
resolve_mode: "bypass"
resolve_policy: "allow"
#
rules:
# Whitelist Everything (test only).
# - cidr: "0.0.0.0/0"
# policy: "allow"
# Whitelisted CIDRs (localhost).
- cidr: "127.0.0.0/8"
policy: "allow"
- cidr: "::1/128"
policy: "allow"
# Whitelisted CIDRs (internal networks).
- cidr: "192.168.0.0/16"
policy: "allow"
- cidr: "172.16.0.0/16"
policy: "allow"
- cidr: "10.0.0.0/8"
policy: "allow"
- cidr: "10.0.0.1/32"
policy: "allow"
# Whitelisted CIDRs (nameservers).
- cidr: "8.8.8.8/32"
policy: "allow"
- cidr: "8.8.4.4/32"
policy: "allow"
- cidr: "1.1.1.1/32"
policy: "allow"
- cidr: "9.9.9.9/32"
policy: "allow"
# Whitelisted Domains.
- domain: "org"
policy: "allow"
- domain: "google.com"
policy: "allow"
# Blacklisted Domains.
- domain: "example.com"
policy: "deny"
- domain: "uol.com.br"
policy: "deny"
Configuration Overview¶
| Field | Description |
|---|---|
cidr_mode | Defines the mode for handling traffic based on CIDRs. Possible values: bypass, alert, enforce, both. |
cidr_policy | Determines the default policy for CIDRs. Possible values: allow, deny. |
resolve_mode | Defines the mode for handling domain resolutions. Possible values: bypass, alert, enforce, both. |
resolve_policy | Determines the default policy for domain resolutions. Possible values: allow, deny. |
rules | List of custom rules for specific CIDRs or domains, allowing fine-grained control. |
Modes and Policies¶
CIDR Modes¶
| Mode | Description |
|---|---|
bypass | Allow all traffic to and from the specified CIDRs. |
alert | Alert when traffic violates CIDR rules but does not block it. |
enforce | Block traffic that violates CIDR rules. |
both | Both alert and block traffic that violates CIDR rules. |
CIDR Policy¶
| Policy | Description |
|---|---|
allow | Allow traffic to CIDRs by default. |
deny | Block traffic to CIDRs by default. |
Resolve Modes¶
| Mode | Description |
|---|---|
bypass | Allow all domain resolutions. |
alert | Alert when domain resolution violates rules but does not block it. |
enforce | Block domain resolutions that violate rules. |
both | Both alert and block domain resolutions that violate rules. |
Resolve Policy¶
| Policy | Description |
|---|---|
allow | Allow domain resolutions by default. |
deny | Block domain resolutions by default. |
Rule Details¶
CIDR Rules¶
| CIDR | Policy | Description |
|---|---|---|
127.0.0.0/8 | allow | Allow all traffic to localhost. |
::1/128 | allow | Allow IPv6 localhost traffic. |
192.168.0.0/16 | allow | Allow traffic within the internal network. |
172.16.0.0/16 | allow | Allow traffic within the internal network. |
10.0.0.0/8 | allow | Allow traffic within the internal network. |
8.8.8.8/32 | allow | Allow traffic to Google Public DNS. |
8.8.4.4/32 | allow | Allow traffic to Google Public DNS. |
1.1.1.1/32 | allow | Allow traffic to Cloudflare DNS. |
9.9.9.9/32 | allow | Allow traffic to Quad9 DNS. |
Domain Rules¶
| Domain | Policy | Description |
|---|---|---|
org | allow | Allow resolution of all .org domains. |
google.com | allow | Allow resolution of google.com. |
example.com | deny | Block resolution of example.com. |
uol.com.br | deny | Block resolution of uol.com.br. |
Key Features¶
- Alert and Enforce Modes
Flexibly alert or block traffic and domain resolutions based on custom rules. - Granular Rule Definition
Define specific CIDRs or domains to allow or deny traffic. - Default Policy Configuration
Set default allow or deny policies for both CIDRs and domains. - Independent Rules
Domain resolution rules operate independently of CIDR traffic rules for fine-grained control. - Testing Support
Easily configure test rules, such as whitelisting all traffic, for development and debugging purposes.
Note
Ensure that CIDR and domain rules are carefully managed to avoid unintended access or blocking.