~speguero/sirubo

ref: 15f5b5a3df3f39d97f78c341af304764c2064e69 sirubo/README -rw-r--r-- 3.5 KiB
15f5b5a3 — Steven Peguero sirubo.conf: add to contrib 9 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
                                 SIRUBO

      ASN prefix (big tech conglomerate) outbound traffic blocker.

------------------------------------------------------------------------

TABLE OF CONTENTS
=================

├── Synopsis
├── Description
├── Requirements
├── Motive
├── Name Origin
├── Install
├── Uninstall
├── Files
│   ├── Programs
│   ├── Configuration Files
│   └── Services
├── Screencaps
└── License


SYNOPSIS
========

sirubo [-c] [-f] [-r] [-s]

  -c    Create firewall ruleset and ruleset persistency service.

  -f    Show cached firewall ruleset.

  -r    Resume enforcement of cached firewall ruleset and enable ruleset
        persistency service.

  -s    Disable cached firewall ruleset and ruleset persistency service.


DESCRIPTION
===========

The sirubo utility is a POSIX shell script that makes use of:

  - nftables on Linux and pf on OpenBSD, to facilitate the rejection of
    outgoing traffic to prefixes (subnets) associated with autonomous
    system networks (ASNs) that you, the user, specify.

  - whois, to perform a query for ASN prefixes (subnets).


REQUIREMENTS
============

  Linux    | OpenBSD
  -----    | -------
  nftables | pf
  whois    | whois
  systemd  |


MOTIVE
======

Preventing passive and nonconsensual telemetry, and the infringement of
one's privacy thereafter, from impertinently inquisitive big tech
conglomerates, such as Facebook and Alphabet (Google).


NAME ORIGIN
===========

Dissecting the etymology of sirubo (pronounced as seer-rue-bow), "si"
refers to the silicon chemical symbol (Si), which is in reference to
Silicon Valley. "rubo" is a word of the universal auxiliary language of
Esperanto, meaning "trash" or "garbage".


INSTALL
=======

1) Install sirubo:

% sudo make install


2) To illustrate, add the following ASN to /usr/local/etc/sirubo.conf:

AS32934 # Google


3) Create a new firewall ruleset:

% sirubo -c


4) Test your newly created firewall ruleset:

% nc -vw 1 google.com 443

   The command should print a message similar to this:

> nc: connect to google.com (0.0.0.0) port 443 (tcp) failed: Connection
> refused

   This will indicate that your operating system firewall is configured
   to reject all outbound traffic directed at Google's ASN prefixes.


UNINSTALL
=========

1) Within this repository, uninstall sirubo:

% make uninstall

   Or, optionally, uninstall sirubo and delete its configuration files:

% make clean


FILES
=====

  Programs
  --------

  - /usr/local/bin/sirubo
        The utility itself.


  Configuration Files
  -------------------

  - /usr/local/etc/sirubo.conf
        Contains ASNs that you, the user, specify for rejection.

  - /usr/local/etc/sirubo.ruleset
        Contains a cached firewall ruleset.

  - /usr/local/etc/sirubo.ruleset.backup
        Contains a defunct firewall ruleset that is reserved as a backup
        when creating a new ruleset manually or automatically.


  Services
  --------

  - /etc/systemd/system/sirubo.service (Linux)
        A service that facilitates firewall ruleset persistency and
        automatic ruleset updates with every operating system reboot.

  - /etc/rc.d/sirubo (OpenBSD)
        A service that facilitates firewall ruleset persistency and
        automatic ruleset updates with every operating system reboot.


SCREENCAPS
==========

Visit the contrib/ directory for recorded illustrations of this utility
in GIF format.


LICENSE
=======

See the LICENSE file for details.