Jibril Docs

Appearance

Network Policy Configuration

Control network traffic at the kernel level with policy-based enforcement for IP addresses, CIDR blocks, and domain names.

Overview

Capabilities:

  • Block malicious connections
  • Intercept DNS queries
  • Enforce zero-trust policies
  • Log blocked traffic attempts

Default Location

bash
/etc/jibril/netpolicy.yaml

Or the one specified in the configuration file.

Configuration Structure

yaml
network_policy:
  # Default action: allow | deny
  policy: allow

  # Always allow these (optional)
  allow:
    - 127.0.0.0/8           # CIDR blocks
    - 8.8.8.8               # IP addresses
    - google.com            # Domain names

  # Always deny these (optional)
  deny:
    - 192.168.100.0/24      # CIDR blocks
    - example.com           # Domain names

Policy Modes

Allow by Default

Allow all traffic by default, deny specific rules.

yaml
network_policy:
  policy: allow

  deny:
    - malware-domain.com
    - 203.0.113.0/24

Use case: Most production environments Behavior: Traffic allowed unless explicitly denied

Deny by Default

Block all traffic by default, allow specific rules.

yaml
network_policy:
  policy: deny

  allow:
    - 127.0.0.0/8
    - 10.0.0.0/8
    - trusted-api.com

Use case: Zero-trust network model Behavior: Traffic blocked unless explicitly allowed

Rule Types

CIDR Blocks

IP address ranges.

yaml
allow:
  - 127.0.0.0/8       # Localhost
  - 192.168.0.0/16    # Private networks
  - 10.0.0.0/8        # Private networks
  - ::1/128           # IPv6 localhost
IP Addresses

Specific IPv4 or IPv6 addresses.

yaml
deny:
  - 203.0.113.5       # Specific IPv4
  - 8.8.8.8           # DNS servers
  - 2001:db8::1       # Specific IPv6
Domain Names

Domain-based blocking.

yaml
deny:
  - malware-site.com
  - phishing-domain.net
  - suspicious-tracker.org

Jibril intercepts DNS queries and enforces policy at kernel level for the resolved IPs, as soon as they are known (this is a synchronous operation).

Rule Precedence

Explicit Rules Override Default
yaml
network_policy:
  policy: allow

  deny:
    - 8.8.8.8    # Blocked despite default allow
CIDR Specificity

More specific CIDR rules override broader ones.

yaml
allow:
  - 192.168.0.0/16   # Allow entire range

deny:
  - 192.168.1.100    # Block specific IP (takes precedence)

Common Configurations

Standard Protection

Allow by default, block known threats.

yaml
network_policy:
  policy: allow

  allow:
    # Internal networks
    - 127.0.0.0/8
    - 192.168.0.0/16
    - 10.0.0.0/8
    - 172.16.0.0/12

    # DNS servers
    - 8.8.8.8
    - 1.1.1.1

  deny:
    # Known malicious domains
    - malware-domain.com
    - phishing-site.net
    - cryptominer-pool.org

Zero-Trust Mode

Deny by default, allow only trusted destinations.

yaml
network_policy:
  policy: deny

  allow:
    # Localhost
    - 127.0.0.0/8

    # Internal infrastructure
    - 10.0.1.0/24
    - 10.0.2.0/24

    # Trusted external services
    - trusted-api.company.com
    - cdn.example.com
    - github.com

Enable Network Policy

Configuration File

yaml
# /etc/jibril/config.yaml
features:
  - netpolicy

feature_options:
  netpolicy:
    file: /etc/jibril/netpolicy.yaml

events:
  - dropip  # Log blocked connections

Policy Events

dropip Event

Generated whenever IP connection is blocked by policy.

What the dropip event contains
  • The process that caused the block.
  • The blocked IP address.
  • The destination domain (if applicable).
  • The source process information.
  • All the process tree information.
  • All files opened by the process.

And more...

Use Cases

Malware C2 Blocking

Block command-and-control servers.

yaml
deny:
  - malware-c2.example.com
  - 203.0.113.0/24  # Known C2 IP range

Phishing Protection

Block phishing domains.

yaml
deny:
  - phishing-site.net
  - fake-bank.com
  - typosquatted-domain.org

Data Loss Prevention

Control outbound connections.

yaml
policy: deny

allow:
  - 10.0.0.0/8           # Internal only
  - approved-saas.com    # Approved services

Network Segmentation

Enforce zero-trust segmentation.

yaml
policy: deny

allow:
  - 10.0.1.0/24  # Database subnet
  - 10.0.2.0/24  # API subnet

Best Practices

Recommended
  • Start with policy: allow to understand traffic patterns
  • Always allow localhost and internal networks
  • Allow your own IP addresses
  • Allow necessary DNS servers
  • Use threat intelligence feeds for deny lists
  • Test policy changes in staging first
  • Document each rule's purpose
  • Monitor dropip events regularly
Avoid
  • Using policy: deny without thorough testing
  • Blocking internal networks accidentally
  • Forgetting to allow DNS servers
  • No documentation of deny rules
  • Overly restrictive rules breaking applications
  • Deploying to production without staging tests
  • Ignoring dropip event patterns

Integration with Detections

Jibril includes 2 million+ malicious domains in built-in detection recipes. Those are generation-only; to block them at the network level, custom reactions can be programmed to do so. See reactions documentation for more information.