Network Policy

Network policy configuration file explanation and example.

The Network Policy Plugin allows users to define and enforce traffic policies based on CIDRs (IP ranges) and domain resolutions. It supports advanced configurations for alerting, enforcing, and bypassing traffic rules, ensuring flexible network control.

Jibril execution:

sudo -E jibril --log-level info --extension config --extension data --extension jibril --plugin jibril:hold --printer jibril:printers:stdout

Enable the Network Policy Plugin:

--plugin jibril:netpolicy:file=/path/to/policy.yaml

Enable the alert events:

... --event jibril:netpolicy:dropip --event jibril:netpolicy:dropdomain

in case alert or both modes are enabled.

Configuration Example

#
# Alert and deny all traffic by default, allowing only declared domains to be resolved.
#
network_policy:
  #
  # The CIDR mode and policy define the IP address policy. Users can choose to block,
  # alert, enforce, or bypass traffic based on CIDR rules.
  #
  # * "cidr_mode":
  #
  # - "bypass": Allow all traffic.
  # - "alert": Alert on denied traffic to CIDRs or domains.
  # - "enforce": Block denied traffic to CIDRs or domains.
  # - "both": Alert and block denied traffic to CIDRs or domains.
  #
  # * "cidr_policy":
  #
  # - "allow": Allow traffic to CIDRs or domains by default.
  # - "deny": Block traffic to CIDRs or domains by default.
  #
  # As an example, the user might have a default "cidr_policy" set to "deny" and allow all
  # IPs with "cidr" set to "0.0.0.0/0". Then, the user might block an IP with a higher
  # prefix length, such as "9.9.9.9/32".
  #
  cidr_mode: "both"
  cidr_policy: "allow"
  #
  # The RESOLVE mode and policy define the domain resolution policy. Users can block
  # specific domains from being resolved or allow them with alerts.
  #
  # For example, if "resolve_mode" is set to "bypass" but a domain is declared as denied,
  # the resolution will be allowed, but the resolved IPs will be blocked.
  #
  # When "resolve_mode" is enabled (alert, enforce, or both), "resolve_policy" determines
  # whether the resolution should be allowed or denied by default.
  #
  # 1. To be alerted on denied domain resolutions, set "resolve_mode" to "alert" and
  #    "resolve_policy" to "deny". You may still block IPs resolved from specific domains.
  #
  # 2. To block the resolution of denied domains, set "resolve_mode" to "enforce"
  #    and "resolve_policy" to "deny". Be aware that if "mode" is set to "bypass", the
  #    resolution will be disallwed, but direct IP connections to the domain will
  #    still be allowed.
  #
  # * "resolve_mode":
  #
  # - "bypass": Allow all domains to be resolved.
  # - "alert": Alert on denied domain resolutions.
  # - "enforce": Block the resolution of denied domains.
  # - "both": Alert and block the resolution of denied domains.
  #
  # * "resolve_policy":
  #
  # - "allow": Allow domain resolution by default.
  # - "deny": Block domain resolution by default.
  #
  # NOTE: domain rules exist independently of "resolve_mode". If a domain is declared
  #       as "deny", its resolved IPs won't be reachable, regardless of "resolve_mode",
  #       which only controls the resolution process.
  #
  resolve_mode: "bypass"
  resolve_policy: "allow"
  #
  rules:
    # Whitelist Everything (test only).
    # - cidr: "0.0.0.0/0"
    #   policy: "allow"
    # Whitelisted CIDRs (localhost).
    - cidr: "127.0.0.0/8"
      policy: "allow"
    - cidr: "::1/128"
      policy: "allow"
    # Whitelisted CIDRs (internal networks).
    - cidr: "192.168.0.0/16"
      policy: "allow"
    - cidr: "172.16.0.0/16"
      policy: "allow"
    - cidr: "10.0.0.0/8"
      policy: "allow"
    - cidr: "10.0.0.1/32"
      policy: "allow"
    # Whitelisted CIDRs (nameservers).
    - cidr: "8.8.8.8/32"
      policy: "allow"
    - cidr: "8.8.4.4/32"
      policy: "allow"
    - cidr: "1.1.1.1/32"
      policy: "allow"
    - cidr: "9.9.9.9/32"
      policy: "allow"
    # Whitelisted Domains.
    - domain: "org"
      policy: "allow"
    - domain: "google.com"
      policy: "allow"
    # Blacklisted Domains.
    - domain: "example.com"
      policy: "deny"
    - domain: "uol.com.br"
      policy: "deny"

Configuration Overview

Field

Description

cidr_mode

Defines the mode for handling traffic based on CIDRs. Possible values: bypass, alert, enforce, both.

cidr_policy

Determines the default policy for CIDRs. Possible values: allow, deny.

resolve_mode

Defines the mode for handling domain resolutions. Possible values: bypass, alert, enforce, both.

resolve_policy

Determines the default policy for domain resolutions. Possible values: allow, deny.

rules

List of custom rules for specific CIDRs or domains.

Modes and Policies

CIDR Modes

Mode

Description

bypass

Allow all traffic to and from the specified CIDRs.

alert

Alert when traffic violates CIDR rules but does not block it.

enforce

Block traffic that violates CIDR rules.

both

Both alert and block traffic that violates CIDR rules.

CIDR Policy

Policy

Description

allow

Allow traffic to CIDRs by default.

deny

Block traffic to CIDRs by default.

Resolve Modes

Mode

Description

bypass

Allow all domain resolutions.

alert

Alert when domain resolution violates rules but does not block it.

enforce

Block domain resolutions that violate rules.

both

Both alert and block domain resolutions that violate rules.

Resolve Policy

Policy

Description

allow

Allow domain resolutions by default.

deny

Block domain resolutions by default.

Rule Details

CIDR Rules

CIDR

Policy

Description

127.0.0.0/8

allow

Allow all traffic to localhost.

::1/128

allow

Allow IPv6 localhost traffic.

192.168.0.0/16

allow

Allow traffic within the internal network.

172.16.0.0/16

allow

Allow traffic within the internal network.

10.0.0.0/8

allow

Allow traffic within the internal network.

8.8.8.8/32

allow

Allow traffic to Google Public DNS.

8.8.4.4/32

allow

Allow traffic to Google Public DNS.

1.1.1.1/32

allow

Allow traffic to Cloudflare DNS.

9.9.9.9/32

allow

Allow traffic to Quad9 DNS.

Domain Rules

Domain

Policy

Description

org

allow

Allow resolution of all .org domains.

google.com

allow

Allow resolution of google.com.

example.com

deny

Block resolution of example.com.

uol.com.br

deny

Block resolution of uol.com.br.

Key Features

Alert and Enforce Modes Flexibly alert or block traffic and domain resolutions based on custom rules.
Granular Rule Definition Define specific CIDRs or domains to allow or deny traffic.
Default Policy Configuration Set default allow or deny policies for both CIDRs and domains.
Independent Rules Domain resolution rules operate independently of CIDR traffic rules for fine-grained control.
Testing Support Easily configure test rules, such as whitelisting all traffic, for development and debugging purposes.

Ensure that CIDR and domain rules are carefully managed to avoid unintended access or blocking.

Last updated 4 days ago

Was this helpful?

# # Alert and deny all traffic by default, allowing only declared domains to be resolved. # network_policy: # # The CIDR mode and policy define the IP address policy. Users can choose to block, # alert, enforce, or bypass traffic based on CIDR rules. # # * "cidr_mode": # # - "bypass": Allow all traffic. # - "alert": Alert on denied traffic to CIDRs or domains. # - "enforce": Block denied traffic to CIDRs or domains. # - "both": Alert and block denied traffic to CIDRs or domains. # # * "cidr_policy": # # - "allow": Allow traffic to CIDRs or domains by default. # - "deny": Block traffic to CIDRs or domains by default. # # As an example, the user might have a default "cidr_policy" set to "deny" and allow all # IPs with "cidr" set to "0.0.0.0/0". Then, the user might block an IP with a higher # prefix length, such as "9.9.9.9/32". # cidr_mode: "both" cidr_policy: "allow" # # The RESOLVE mode and policy define the domain resolution policy. Users can block # specific domains from being resolved or allow them with alerts. # # For example, if "resolve_mode" is set to "bypass" but a domain is declared as denied, # the resolution will be allowed, but the resolved IPs will be blocked. # # When "resolve_mode" is enabled (alert, enforce, or both), "resolve_policy" determines # whether the resolution should be allowed or denied by default. # # 1. To be alerted on denied domain resolutions, set "resolve_mode" to "alert" and # "resolve_policy" to "deny". You may still block IPs resolved from specific domains. # # 2. To block the resolution of denied domains, set "resolve_mode" to "enforce" # and "resolve_policy" to "deny". Be aware that if "mode" is set to "bypass", the # resolution will be disallwed, but direct IP connections to the domain will # still be allowed. # # * "resolve_mode": # # - "bypass": Allow all domains to be resolved. # - "alert": Alert on denied domain resolutions. # - "enforce": Block the resolution of denied domains. # - "both": Alert and block the resolution of denied domains. # # * "resolve_policy": # # - "allow": Allow domain resolution by default. # - "deny": Block domain resolution by default. # # NOTE: domain rules exist independently of "resolve_mode". If a domain is declared # as "deny", its resolved IPs won't be reachable, regardless of "resolve_mode", # which only controls the resolution process. # resolve_mode: "bypass" resolve_policy: "allow" # rules: # Whitelist Everything (test only). # - cidr: "0.0.0.0/0" # policy: "allow" # Whitelisted CIDRs (localhost). - cidr: "127.0.0.0/8" policy: "allow" - cidr: "::1/128" policy: "allow" # Whitelisted CIDRs (internal networks). - cidr: "192.168.0.0/16" policy: "allow" - cidr: "172.16.0.0/16" policy: "allow" - cidr: "10.0.0.0/8" policy: "allow" - cidr: "10.0.0.1/32" policy: "allow" # Whitelisted CIDRs (nameservers). - cidr: "8.8.8.8/32" policy: "allow" - cidr: "8.8.4.4/32" policy: "allow" - cidr: "1.1.1.1/32" policy: "allow" - cidr: "9.9.9.9/32" policy: "allow" # Whitelisted Domains. - domain: "org" policy: "allow" - domain: "google.com" policy: "allow" # Blacklisted Domains. - domain: "example.com" policy: "deny" - domain: "uol.com.br" policy: "deny"