diff options
author | netblue30 <netblue30@protonmail.com> | 2022-01-18 14:14:44 -0500 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2022-01-18 14:14:44 -0500 |
commit | 4dd1e92ba1c0687d3f5860ccc58c80d28c8905b8 (patch) | |
tree | 49fc769149cbc3a343cee46838c6a19c9e4145f3 /src/man | |
parent | gitlab-ci: fix debian_ci build (dh_missing hostnames) (#4865) (diff) | |
download | firejail-4dd1e92ba1c0687d3f5860ccc58c80d28c8905b8.tar.gz firejail-4dd1e92ba1c0687d3f5860ccc58c80d28c8905b8.tar.zst firejail-4dd1e92ba1c0687d3f5860ccc58c80d28c8905b8.zip |
nettrace fixes
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail.txt | 46 |
1 files changed, 39 insertions, 7 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index a5704e995..9e3bce643 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1463,6 +1463,28 @@ $ firejail --name=browser --net=eth0 --netfilter firefox & | |||
1463 | $ firejail --netfilter6.print=browser | 1463 | $ firejail --netfilter6.print=browser |
1464 | 1464 | ||
1465 | .TP | 1465 | .TP |
1466 | \fB\-\-netlock=name/pid | ||
1467 | Several type of programs (email clients, multiplayer games etc.) talk to a very small | ||
1468 | number of IP addresses. But the best example is tor browser. It only talks to a guard node, | ||
1469 | and there are two or three more on standby in case the main one fails. | ||
1470 | During startup, the browser contacts all of them, after that it keeps talking to the main | ||
1471 | one... for weeks! | ||
1472 | |||
1473 | Use the network locking feature to build and deploy a network firewall in your sandbox. | ||
1474 | The firewall allows only the network traffic to the IP addresses detected during the program | ||
1475 | startup. Traffic to any other address is quietly dropped. By default the startup monitoring | ||
1476 | time is one minute. Example: | ||
1477 | .br | ||
1478 | |||
1479 | .br | ||
1480 | $ firejail --net=eth0 --netlock \\ | ||
1481 | .br | ||
1482 | --private=~/tor-browser_en-US ./start-tor-browser.desktop | ||
1483 | .br | ||
1484 | |||
1485 | .br | ||
1486 | |||
1487 | .TP | ||
1466 | \fB\-\-netmask=address | 1488 | \fB\-\-netmask=address |
1467 | Use this option when you want to assign an IP address in a new namespace and | 1489 | Use this option when you want to assign an IP address in a new namespace and |
1468 | the parent interface specified by --net is not configured. An IP address and | 1490 | the parent interface specified by --net is not configured. An IP address and |
@@ -1500,25 +1522,35 @@ PID User RX(KB/s) TX(KB/s) Command | |||
1500 | .br | 1522 | .br |
1501 | 7383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission | 1523 | 7383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission |
1502 | .TP | 1524 | .TP |
1503 | \fB\-\-nettrace=name|pid | 1525 | \fB\-\-nettrace[=name|pid] |
1504 | Monitor TCP and UDP traffic coming into the sandbox specified by name or pid. Only networked sandboxes | 1526 | Monitor TCP and UDP traffic coming into the sandbox specified by name or pid. Only networked sandboxes |
1505 | created with \-\-net are supported. | 1527 | created with \-\-net are supported. |
1506 | .br | 1528 | .br |
1507 | 1529 | ||
1508 | .br | 1530 | .br |
1509 | $ firejail --nettrace=browser | 1531 | Without a name/pid, Firejail will monitor the main system network namespace. |
1532 | .br | ||
1533 | |||
1534 | .br | ||
1535 | $ firejail --nettrace=browser | ||
1536 | .br | ||
1537 | |||
1538 | .br | ||
1539 | 95 KB/s geoip 457, IP database 4436 | ||
1540 | .br | ||
1541 | 52 KB/s *********** 64.222.84.207:443 United States | ||
1510 | .br | 1542 | .br |
1511 | 86 KB/s ********* 64.222.84.207:443 United States | 1543 | 33 KB/s ******* 89.147.74.105:63930 Hungary |
1512 | .br | 1544 | .br |
1513 | 76 KB/s ******** 192.229.210.163:443 MCI | 1545 | 0 B/s 45.90.28.0:443 NextDNS |
1514 | .br | 1546 | .br |
1515 | 111 B/s 9.9.9.9:53 Quad9 DNS | 1547 | 0 B/s 94.70.122.176:52309(UDP) Greece |
1516 | .br | 1548 | .br |
1517 | 32 KB/s *** 142.250.179.182:443 Google | 1549 | 339 B/s 104.26.7.35:443 Cloudflare |
1518 | .br | 1550 | .br |
1519 | 1551 | ||
1520 | .br | 1552 | .br |
1521 | If /usr/bin/geoiplookup is installed (geoip-bin packet in Debian), | 1553 | If /usr/bin/geoiplookup is installed (geoip-bin package in Debian), |
1522 | the country the IP address originates from is added to the trace. | 1554 | the country the IP address originates from is added to the trace. |
1523 | We also use the static IP map in /etc/firejail/hostnames | 1555 | We also use the static IP map in /etc/firejail/hostnames |
1524 | to print the domain names for some of the more common websites and cloud platforms. | 1556 | to print the domain names for some of the more common websites and cloud platforms. |