diff options
author | netblue30 <netblue30@yahoo.com> | 2016-02-10 20:18:27 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-02-10 20:18:27 -0500 |
commit | e0d9eca92d2ef959e95a8326cc835b6c7653f462 (patch) | |
tree | 2f77206925e5e9a4da2b4175f55c620d81f326e0 /README.md | |
parent | whitelisting ~/.pki in Firefox, Crome/Cromium, Opera (diff) | |
download | firejail-e0d9eca92d2ef959e95a8326cc835b6c7653f462.tar.gz firejail-e0d9eca92d2ef959e95a8326cc835b6c7653f462.tar.zst firejail-e0d9eca92d2ef959e95a8326cc835b6c7653f462.zip |
STUN/WebRTC disabled in default netfilter configuration
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 26 |
1 files changed, 26 insertions, 0 deletions
@@ -38,3 +38,29 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ | |||
38 | 38 | ||
39 | Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie). | 39 | Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie). |
40 | 40 | ||
41 | ## STUN/WebRTC disabled in default netfilter configuration | ||
42 | |||
43 | The current netfilter configuration looks like this: | ||
44 | ````` | ||
45 | *filter | ||
46 | :INPUT DROP [0:0] | ||
47 | :FORWARD DROP [0:0] | ||
48 | :OUTPUT ACCEPT [0:0] | ||
49 | -A INPUT -i lo -j ACCEPT | ||
50 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
51 | # allow ping | ||
52 | -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT | ||
53 | -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT | ||
54 | -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | ||
55 | # drop STUN (WebRTC) requests | ||
56 | -A OUTPUT -p udp --dport 3478 -j DROP | ||
57 | -A OUTPUT -p udp --dport 3479 -j DROP | ||
58 | -A OUTPUT -p tcp --dport 3478 -j DROP | ||
59 | -A OUTPUT -p tcp --dport 3479 -j DROP | ||
60 | COMMIT | ||
61 | ````` | ||
62 | |||
63 | The filter is loaded by default for Firefox if a network namespace is configured: | ||
64 | ````` | ||
65 | $ firejail --net=eth0 firefox | ||
66 | ````` \ No newline at end of file | ||