Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you use uMatrix, you can easily block the localhost and local network "sniffing" with the following rule[0]:

  * 127       * block    ### block access to IPv4 localhost 127.x.x.x
  * localhost * block
  * [::1]     * block    ### block access to IPv6 localhost
  * 192.168   * block    ### block access to LAN 192.168.x.x
In principle, you can use this without any other blocking, i.e. with the rule:

  * * * allow
and hence without disabling javascript on any sites.

[0] https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.2.3-uM...

Edit: as pointed out by DarkWiiPlayer below, if you want to be able to access the localhost websites from the same browser, you need:

  localhost localhost * allow
and similarly for the LAN. In full:

  127       127       * allow
  localhost localhost * allow
  [::1]     [::1]     * allow
  192.168   192.168   * allow


Also, uBlock has an option in its settings to block the webrtc leak (but not enabled by default):

"Prevent WebRTC from leaking local IP addresses"


Add all the RFC1918 unroutable private networks.

https://en.wikipedia.org/wiki/Private_network

    10.0.0.0 – 10.255.255.255 (10.0.0.0/8)
    172.16.0.0 – 172.31.255.255 (172.16.0.0/12)
    192.168.0.0 - 192.168.255.255 (192.168.0.0/16)
    127.0.0.0 - 127.255.255.255 (127.0.0.0/8)
https://tools.ietf.org/html/rfc1918

Possibly also 100.64.0.0/10 for carriers.

https://tools.ietf.org/html/rfc6598#page-8


Possibly also the IPv6 ULAs:

https://en.wikipedia.org/wiki/Unique_local_address

Not sure if those can be expressed in uMatrix as a prefix rule.


Presumably also:

    * 10      * block    ### block access to LAN 10.x.x.x


uMatrix blocked all of it for me by default.


Yes, but by default uMatrix might be overly strict for many people. For instance, by default it blocks all third-party javascript.


that's awesome, using it!

but to be fair, the point seemed to be more that if you run something that's "only" exposed locally... don't. securing each and every machine with uMatrix doesn't seem the answer to this.


you'd need at least

    localhost localhost * allow
to be able to open sites on localhost directly.


Anyone know if this can be done on a hosts level instead of a browser level?


It can’t. At best you can try to modify the hosts file to point localhost to somewhere bogus, but aside from the potential breakage that could cause, it won’t help against any site that simply accesses http://127.0.0.1 instead of http://localhost. In general, the hosts file can be useful for quick-and-dirty blocking, but it’s not really capable of enforcing a security barrier.

Edit: But there may be other ways to do it at an OS level, depending on your OS.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: