Navegador sandbox do Facebook

tag-icon tag-icon firefox security privacy facebook
Navegador sandbox do Facebook

Como posso fazer o Firefox funcionar como umsite especificonavegador?

O objetivo é a segurança através da compartimentação. Especificamente, para impedir as tentativas do Facebook de rastrear e armazenar todas as minhas atividades de navegação na Internet, inclusive quando estounão no site do Facebook.

Idealmente, eu gostaria que um navegador operasse de forma que pudesseapenasacessar o Facebook e meu outro navegador funcionam de forma que possam acessar todos os sitesexcetodo Facebook.

Por favor, deixe-me saber como posso configurar o Firefox para operar como um navegador específico do Facebook (site único).

Responder1

Contêiner do Facebook. Este complemento isola o Facebook no seu navegador. Provavelmente isso é tudo que você precisa.

Se você quiser ter mais certeza, use doisPerfis. Instale alguns plug-ins de bloqueio de sites em ambos. Coloque o Facebook na lista negra no primeiro perfil, coloque apenas o Facebook na lista de permissões no segundo.

Responder2

Isso pode ser feito firejailno Linux, onde você pode usar o --netfilterargumento para:

[a] defina regras de iptables para bloquear o acesso a todos os netblocks ip de propriedade do Facebook em seuNavegador principale

[b] definir regras de iptables para bloquear o acesso a toda a Internetexcetoaqueles netblocks IP de propriedade do Facebook em umEspecífico do Facebook(sandbox) navegador

Uma lista de netblocks IP de propriedade do Facebook pode ser encontrada usando um número whois de Sistema Autônomo (AS) para Facebook, Inc = AS32934

root@disp355:/home/user# whois -h whois.radb.net -- \
root@disp355:/home/user# '-i origin AS32934'| grep -e "^route:"
...
route:      69.63.176.0/20
route:      66.220.144.0/20
route:      66.220.144.0/21
route:      69.63.184.0/21
route:      69.63.176.0/21
route:      74.119.76.0/22
route:      69.171.255.0/24
route:      173.252.64.0/18
route:      69.171.224.0/19
route:      69.171.224.0/20
root@disp355:/home/user#

A lista inteira pode então ser colocada em um arquivo netfilter para o seu navegador específico do Facebook:

sudo bash -c 'cat << EOF > /etc/firejail/facebookOnly.net
################################################################################
# Author:  Michael Altfield <[email protected]>
# Created: 2019-03-25
# Updated: 2019-03-25
# Version: 0.1
# Purpose: Permits traffic to/from facebook (and dns) only
################################################################################
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

-A OUTPUT --destination 102.132.96.0/20 -j ACCEPT
-A OUTPUT --destination 102.132.96.0/24 -j ACCEPT
-A OUTPUT --destination 103.4.96.0/22 -j ACCEPT
-A OUTPUT --destination 129.134.0.0/17 -j ACCEPT
-A OUTPUT --destination 157.240.0.0/17 -j ACCEPT
-A OUTPUT --destination 157.240.10.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.1.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.11.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.12.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.13.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.14.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.15.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.18.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.19.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.192.0/18 -j ACCEPT
-A OUTPUT --destination 157.240.193.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.194.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.195.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.20.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.2.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.21.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.22.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.24.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.25.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.26.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.27.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.28.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.29.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.30.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.3.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.6.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.7.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.8.0/24 -j ACCEPT
-A OUTPUT --destination 157.240.9.0/24 -j ACCEPT
-A OUTPUT --destination 173.252.64.0/19 -j ACCEPT
-A OUTPUT --destination 173.252.88.0/21 -j ACCEPT
-A OUTPUT --destination 173.252.96.0/19 -j ACCEPT
-A OUTPUT --destination 179.60.192.0/22 -j ACCEPT
-A OUTPUT --destination 179.60.192.0/24 -j ACCEPT
-A OUTPUT --destination 179.60.193.0/24 -j ACCEPT
-A OUTPUT --destination 179.60.194.0/24 -j ACCEPT
-A OUTPUT --destination 179.60.195.0/24 -j ACCEPT
-A OUTPUT --destination 185.60.216.0/22 -j ACCEPT
-A OUTPUT --destination 185.60.216.0/24 -j ACCEPT
-A OUTPUT --destination 185.60.217.0/24 -j ACCEPT
-A OUTPUT --destination 185.60.218.0/24 -j ACCEPT
-A OUTPUT --destination 185.60.219.0/24 -j ACCEPT
-A OUTPUT --destination 204.15.20.0/22 -j ACCEPT
-A OUTPUT --destination 31.13.24.0/21 -j ACCEPT
-A OUTPUT --destination 31.13.64.0/18 -j ACCEPT
-A OUTPUT --destination 31.13.64.0/19 -j ACCEPT
-A OUTPUT --destination 31.13.64.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.65.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.66.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.67.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.68.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.70.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.71.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.72.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.73.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.74.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.75.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.80.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.81.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.82.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.83.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.84.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.85.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.86.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.87.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.89.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.90.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.91.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.92.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.93.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.94.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.95.0/24 -j ACCEPT
-A OUTPUT --destination 31.13.96.0/19 -j ACCEPT
-A OUTPUT --destination 45.64.40.0/22 -j ACCEPT
-A OUTPUT --destination 66.220.144.0/20 -j ACCEPT
-A OUTPUT --destination 66.220.144.0/21 -j ACCEPT
-A OUTPUT --destination 66.220.152.0/21 -j ACCEPT
-A OUTPUT --destination 69.171.224.0/19 -j ACCEPT
-A OUTPUT --destination 69.171.224.0/20 -j ACCEPT
-A OUTPUT --destination 69.171.239.0/24 -j ACCEPT
-A OUTPUT --destination 69.171.240.0/20 -j ACCEPT
-A OUTPUT --destination 69.171.250.0/24 -j ACCEPT
-A OUTPUT --destination 69.171.255.0/24 -j ACCEPT
-A OUTPUT --destination 69.63.176.0/20 -j ACCEPT
-A OUTPUT --destination 69.63.176.0/21 -j ACCEPT
-A OUTPUT --destination 69.63.184.0/21 -j ACCEPT
-A OUTPUT --destination 74.119.76.0/22 -j ACCEPT

-A OUTPUT -p udp --dport 53 -j ACCEPT
-A OUTPUT -j DROP

-A INPUT -p udp --sport 53 -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -j DROP

COMMIT
EOF'

Da mesma forma, crie o inverso para o seu navegador principal:

sudo bash -c 'cat << EOF > /etc/firejail/notFacebook.net
################################################################################
# Author:  Michael Altfield <[email protected]>
# Created: 2019-03-25
# Updated: 2019-03-25
# Version: 0.1
# Purpose: Permits traffic to/from everything except facebook
################################################################################
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A OUTPUT --destination 102.132.96.0/20 -j DROP
-A OUTPUT --destination 102.132.96.0/24 -j DROP
-A OUTPUT --destination 103.4.96.0/22 -j DROP
-A OUTPUT --destination 129.134.0.0/17 -j DROP
-A OUTPUT --destination 157.240.0.0/17 -j DROP
-A OUTPUT --destination 157.240.10.0/24 -j DROP
-A OUTPUT --destination 157.240.1.0/24 -j DROP
-A OUTPUT --destination 157.240.11.0/24 -j DROP
-A OUTPUT --destination 157.240.12.0/24 -j DROP
-A OUTPUT --destination 157.240.13.0/24 -j DROP
-A OUTPUT --destination 157.240.14.0/24 -j DROP
-A OUTPUT --destination 157.240.15.0/24 -j DROP
-A OUTPUT --destination 157.240.18.0/24 -j DROP
-A OUTPUT --destination 157.240.19.0/24 -j DROP
-A OUTPUT --destination 157.240.192.0/18 -j DROP
-A OUTPUT --destination 157.240.193.0/24 -j DROP
-A OUTPUT --destination 157.240.194.0/24 -j DROP
-A OUTPUT --destination 157.240.195.0/24 -j DROP
-A OUTPUT --destination 157.240.20.0/24 -j DROP
-A OUTPUT --destination 157.240.2.0/24 -j DROP
-A OUTPUT --destination 157.240.21.0/24 -j DROP
-A OUTPUT --destination 157.240.22.0/24 -j DROP
-A OUTPUT --destination 157.240.24.0/24 -j DROP
-A OUTPUT --destination 157.240.25.0/24 -j DROP
-A OUTPUT --destination 157.240.26.0/24 -j DROP
-A OUTPUT --destination 157.240.27.0/24 -j DROP
-A OUTPUT --destination 157.240.28.0/24 -j DROP
-A OUTPUT --destination 157.240.29.0/24 -j DROP
-A OUTPUT --destination 157.240.30.0/24 -j DROP
-A OUTPUT --destination 157.240.3.0/24 -j DROP
-A OUTPUT --destination 157.240.6.0/24 -j DROP
-A OUTPUT --destination 157.240.7.0/24 -j DROP
-A OUTPUT --destination 157.240.8.0/24 -j DROP
-A OUTPUT --destination 157.240.9.0/24 -j DROP
-A OUTPUT --destination 173.252.64.0/19 -j DROP
-A OUTPUT --destination 173.252.88.0/21 -j DROP
-A OUTPUT --destination 173.252.96.0/19 -j DROP
-A OUTPUT --destination 179.60.192.0/22 -j DROP
-A OUTPUT --destination 179.60.192.0/24 -j DROP
-A OUTPUT --destination 179.60.193.0/24 -j DROP
-A OUTPUT --destination 179.60.194.0/24 -j DROP
-A OUTPUT --destination 179.60.195.0/24 -j DROP
-A OUTPUT --destination 185.60.216.0/22 -j DROP
-A OUTPUT --destination 185.60.216.0/24 -j DROP
-A OUTPUT --destination 185.60.217.0/24 -j DROP
-A OUTPUT --destination 185.60.218.0/24 -j DROP
-A OUTPUT --destination 185.60.219.0/24 -j DROP
-A OUTPUT --destination 204.15.20.0/22 -j DROP
-A OUTPUT --destination 31.13.24.0/21 -j DROP
-A OUTPUT --destination 31.13.64.0/18 -j DROP
-A OUTPUT --destination 31.13.64.0/19 -j DROP
-A OUTPUT --destination 31.13.64.0/24 -j DROP
-A OUTPUT --destination 31.13.65.0/24 -j DROP
-A OUTPUT --destination 31.13.66.0/24 -j DROP
-A OUTPUT --destination 31.13.67.0/24 -j DROP
-A OUTPUT --destination 31.13.68.0/24 -j DROP
-A OUTPUT --destination 31.13.70.0/24 -j DROP
-A OUTPUT --destination 31.13.71.0/24 -j DROP
-A OUTPUT --destination 31.13.72.0/24 -j DROP
-A OUTPUT --destination 31.13.73.0/24 -j DROP
-A OUTPUT --destination 31.13.74.0/24 -j DROP
-A OUTPUT --destination 31.13.75.0/24 -j DROP
-A OUTPUT --destination 31.13.80.0/24 -j DROP
-A OUTPUT --destination 31.13.81.0/24 -j DROP
-A OUTPUT --destination 31.13.82.0/24 -j DROP
-A OUTPUT --destination 31.13.83.0/24 -j DROP
-A OUTPUT --destination 31.13.84.0/24 -j DROP
-A OUTPUT --destination 31.13.85.0/24 -j DROP
-A OUTPUT --destination 31.13.86.0/24 -j DROP
-A OUTPUT --destination 31.13.87.0/24 -j DROP
-A OUTPUT --destination 31.13.89.0/24 -j DROP
-A OUTPUT --destination 31.13.90.0/24 -j DROP
-A OUTPUT --destination 31.13.91.0/24 -j DROP
-A OUTPUT --destination 31.13.92.0/24 -j DROP
-A OUTPUT --destination 31.13.93.0/24 -j DROP
-A OUTPUT --destination 31.13.94.0/24 -j DROP
-A OUTPUT --destination 31.13.95.0/24 -j DROP
-A OUTPUT --destination 31.13.96.0/19 -j DROP
-A OUTPUT --destination 45.64.40.0/22 -j DROP
-A OUTPUT --destination 66.220.144.0/20 -j DROP
-A OUTPUT --destination 66.220.144.0/21 -j DROP
-A OUTPUT --destination 66.220.152.0/21 -j DROP
-A OUTPUT --destination 69.171.224.0/19 -j DROP
-A OUTPUT --destination 69.171.224.0/20 -j DROP
-A OUTPUT --destination 69.171.239.0/24 -j DROP
-A OUTPUT --destination 69.171.240.0/20 -j DROP
-A OUTPUT --destination 69.171.250.0/24 -j DROP
-A OUTPUT --destination 69.171.255.0/24 -j DROP
-A OUTPUT --destination 69.63.176.0/20 -j DROP
-A OUTPUT --destination 69.63.176.0/21 -j DROP
-A OUTPUT --destination 69.63.184.0/21 -j DROP
-A OUTPUT --destination 74.119.76.0/22 -j DROP

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP

COMMIT
EOF'

Agora você pode iniciar seu navegador específico do Facebook usando o primeiro conjunto de regras do netfitler da seguinte forma:

firejail --dns="1.1.1.1" --dns="9.9.9.9" --dns="8.8.8.8" --net=eth0 --netfilter=/etc/firejail/facebookOnly.net firefox -no-remote -new-instance "https://www.facebook.com"

E para o navegador de uso geral que não pode "ligar para casa" para os servidores do Facebook a partir do resto da web:

firejail --dns="1.1.1.1" --dns="9.9.9.9" --dns="8.8.8.8" --net=eth0 --netfilter=/etc/firejail/notFacebok.net firefox -no-remote -new-instance "https://start.duckduckgo.com"

Para obter mais informações sobre isso, consulte o seguinte artigo:

informação relacionada