STUN/WebRTC disabled in default netfilter configuration

author: netblue30 <netblue30@yahoo.com> 2016-02-10 20:18:27 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-02-10 20:18:27 -0500
commit: e0d9eca92d2ef959e95a8326cc835b6c7653f462 (patch)
tree: 2f77206925e5e9a4da2b4175f55c620d81f326e0 /src/man/firejail.txt
parent: whitelisting ~/.pki in Firefox, Crome/Cromium, Opera (diff)
download: firejail-e0d9eca92d2ef959e95a8326cc835b6c7653f462.tar.gz
firejail-e0d9eca92d2ef959e95a8326cc835b6c7653f462.tar.zst
firejail-e0d9eca92d2ef959e95a8326cc835b6c7653f462.zip
1 files changed, 12 insertions, 0 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index bab596e96..784f1583e 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -679,12 +679,24 @@ The default filter is as follows:
 .br
 \-A INPUT \-m state \-\-state RELATED,ESTABLISHED \-j ACCEPT
 .br
+# allow ping
+.br
 \-A INPUT \-p icmp \-\-icmp-type destination-unreachable \-j ACCEPT
 .br
 \-A INPUT \-p icmp \-\-icmp-type time-exceeded \-j ACCEPT
 .br
 \-A INPUT \-p icmp \-\-icmp-type echo-request \-j ACCEPT
 .br
+# drop STUN (WebRTC) requests
+.br
+-A OUTPUT -p udp --dport 3478 -j DROP
+.br
+-A OUTPUT -p udp --dport 3479 -j DROP
+.br
+-A OUTPUT -p tcp --dport 3478 -j DROP
+.br
+-A OUTPUT -p tcp --dport 3479 -j DROP
+.br
 COMMIT
 .br
author	netblue30 <netblue30@yahoo.com>	2016-02-10 20:18:27 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-02-10 20:18:27 -0500
commit	e0d9eca92d2ef959e95a8326cc835b6c7653f462 (patch)
tree	2f77206925e5e9a4da2b4175f55c620d81f326e0 /src/man/firejail.txt
parent	whitelisting ~/.pki in Firefox, Crome/Cromium, Opera (diff)
download	firejail-e0d9eca92d2ef959e95a8326cc835b6c7653f462.tar.gz firejail-e0d9eca92d2ef959e95a8326cc835b6c7653f462.tar.zst firejail-e0d9eca92d2ef959e95a8326cc835b6c7653f462.zip

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index bab596e96..784f1583e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -679,12 +679,24 @@ The default filter is as follows:
679	.br	679	.br
680	\-A INPUT \-m state \-\-state RELATED,ESTABLISHED \-j ACCEPT	680	\-A INPUT \-m state \-\-state RELATED,ESTABLISHED \-j ACCEPT
681	.br	681	.br
		682	# allow ping
		683	.br
682	\-A INPUT \-p icmp \-\-icmp-type destination-unreachable \-j ACCEPT	684	\-A INPUT \-p icmp \-\-icmp-type destination-unreachable \-j ACCEPT
683	.br	685	.br
684	\-A INPUT \-p icmp \-\-icmp-type time-exceeded \-j ACCEPT	686	\-A INPUT \-p icmp \-\-icmp-type time-exceeded \-j ACCEPT
685	.br	687	.br
686	\-A INPUT \-p icmp \-\-icmp-type echo-request \-j ACCEPT	688	\-A INPUT \-p icmp \-\-icmp-type echo-request \-j ACCEPT
687	.br	689	.br
		690	# drop STUN (WebRTC) requests
		691	.br
		692	-A OUTPUT -p udp --dport 3478 -j DROP
		693	.br
		694	-A OUTPUT -p udp --dport 3479 -j DROP
		695	.br
		696	-A OUTPUT -p tcp --dport 3478 -j DROP
		697	.br
		698	-A OUTPUT -p tcp --dport 3479 -j DROP
		699	.br
688	COMMIT	700	COMMIT
689	.br	701	.br
690		702