diff options
author | netblue30 <netblue30@yahoo.com> | 2017-11-15 07:09:41 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-11-15 07:09:41 -0500 |
commit | 77a891838f0456944777830152171c23fb52a71a (patch) | |
tree | 679ccfae005f3a1d0a17bcfa8c6000e8b2205d8a /src/man/firejail.txt | |
parent | netfilter split (diff) | |
download | firejail-77a891838f0456944777830152171c23fb52a71a.tar.gz firejail-77a891838f0456944777830152171c23fb52a71a.tar.zst firejail-77a891838f0456944777830152171c23fb52a71a.zip |
netfilter split, --netfilter.print, --netfilter6.print
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 52 |
1 files changed, 37 insertions, 15 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e0eb723bc..bf27c07ad 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -858,10 +858,13 @@ be created and configured using "ip netns". | |||
858 | 858 | ||
859 | .TP | 859 | .TP |
860 | \fB\-\-netfilter | 860 | \fB\-\-netfilter |
861 | Enable a default client network filter in the new network namespace. | 861 | Enable a default firewall if a new network namespace is created inside the sandbox. |
862 | New network namespaces are created using \-\-net option. If a new network namespaces is not created, | 862 | This option has no effect for sandboxes using the system network namespace. |
863 | \-\-netfilter option does nothing. | 863 | .br |
864 | The default filter is as follows: | 864 | |
865 | .br | ||
866 | The default firewall is optimized for regular desktop applications. No incoming | ||
867 | connections are accepted: | ||
865 | .br | 868 | .br |
866 | 869 | ||
867 | .br | 870 | .br |
@@ -904,19 +907,18 @@ Example: | |||
904 | $ firejail \-\-net=eth0 \-\-netfilter firefox | 907 | $ firejail \-\-net=eth0 \-\-netfilter firefox |
905 | .TP | 908 | .TP |
906 | \fB\-\-netfilter=filename | 909 | \fB\-\-netfilter=filename |
907 | Enable the network filter specified by filename in the new network namespace. The filter file format | 910 | Enable the firewall specified by filename if a new network namespace is created inside the sandbox. |
908 | is the format of iptables-save and iptable-restore commands. | 911 | This option has no effect for sandboxes using the system network namespace. |
909 | New network namespaces are created using \-\-net option. If a new network namespaces is not created, | ||
910 | \-\-netfilter option does nothing. | ||
911 | .br | 912 | .br |
912 | 913 | ||
913 | .br | 914 | .br |
914 | The following filters are available in /etc/firejail directory: | 915 | Please use the regular iptables-save/iptables-restore format for the filter file. The following |
916 | examples are available in /etc/firejail directory: | ||
915 | .br | 917 | .br |
916 | 918 | ||
917 | .br | 919 | .br |
918 | .B webserver.net | 920 | .B webserver.net |
919 | is a webserver filter that allows access only to TCP ports 80 and 443. | 921 | is a webserver firewall that allows access only to TCP ports 80 and 443. |
920 | Example: | 922 | Example: |
921 | .br | 923 | .br |
922 | 924 | ||
@@ -928,7 +930,7 @@ $ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \\ | |||
928 | 930 | ||
929 | .br | 931 | .br |
930 | .B nolocal.net | 932 | .B nolocal.net |
931 | is a client filter that disable access to local network. Example: | 933 | is a desktop client firewall that disable access to local network. Example: |
932 | .br | 934 | .br |
933 | 935 | ||
934 | .br | 936 | .br |
@@ -936,11 +938,31 @@ $ firejail --netfilter=/etc/firejail/nolocal.net \\ | |||
936 | .br | 938 | .br |
937 | --net=eth0 firefox | 939 | --net=eth0 firefox |
938 | .TP | 940 | .TP |
941 | \fB\-\-netfilter.print=name|pid | ||
942 | Print the firewall installed in the sandbox specified by name or PID. Example: | ||
943 | .br | ||
944 | |||
945 | .br | ||
946 | $ firejail --net=browser --net=eth0 --netfilter firefox & | ||
947 | .br | ||
948 | $ firejail --netfilter.print=browser | ||
949 | |||
950 | .TP | ||
939 | \fB\-\-netfilter6=filename | 951 | \fB\-\-netfilter6=filename |
940 | Enable the IPv6 network filter specified by filename in the new network namespace. The filter file format | 952 | Enable the IPv6 firewall specified by filename if a new network namespace is created inside the sandbox. |
941 | is the format of ip6tables-save and ip6table-restore commands. | 953 | This option has no effect for sandboxes using the system network namespace. |
942 | New network namespaces are created using \-\-net option. If a new network namespaces is not created, | 954 | Please use the regular iptables-save/iptables-restore format for the filter file. |
943 | \-\-netfilter6 option does nothing. | 955 | |
956 | .TP | ||
957 | \fB\-\-netfilter6.print=name|pid | ||
958 | Print the IPv6 firewall installed in the sandbox specified by name or PID. Example: | ||
959 | .br | ||
960 | |||
961 | .br | ||
962 | $ firejail --net=browser --net=eth0 --netfilter firefox & | ||
963 | .br | ||
964 | $ firejail --netfilter6.print=browser | ||
965 | |||
944 | .TP | 966 | .TP |
945 | \fB\-\-netstats | 967 | \fB\-\-netstats |
946 | Monitor network namespace statistics, see \fBMONITORING\fR section for more details. | 968 | Monitor network namespace statistics, see \fBMONITORING\fR section for more details. |