diff options
author | netblue30 <netblue30@yahoo.com> | 2016-02-10 20:18:27 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-02-10 20:18:27 -0500 |
commit | e0d9eca92d2ef959e95a8326cc835b6c7653f462 (patch) | |
tree | 2f77206925e5e9a4da2b4175f55c620d81f326e0 /src/man | |
parent | whitelisting ~/.pki in Firefox, Crome/Cromium, Opera (diff) | |
download | firejail-e0d9eca92d2ef959e95a8326cc835b6c7653f462.tar.gz firejail-e0d9eca92d2ef959e95a8326cc835b6c7653f462.tar.zst firejail-e0d9eca92d2ef959e95a8326cc835b6c7653f462.zip |
STUN/WebRTC disabled in default netfilter configuration
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail.txt | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index bab596e96..784f1583e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -679,12 +679,24 @@ The default filter is as follows: | |||
679 | .br | 679 | .br |
680 | \-A INPUT \-m state \-\-state RELATED,ESTABLISHED \-j ACCEPT | 680 | \-A INPUT \-m state \-\-state RELATED,ESTABLISHED \-j ACCEPT |
681 | .br | 681 | .br |
682 | # allow ping | ||
683 | .br | ||
682 | \-A INPUT \-p icmp \-\-icmp-type destination-unreachable \-j ACCEPT | 684 | \-A INPUT \-p icmp \-\-icmp-type destination-unreachable \-j ACCEPT |
683 | .br | 685 | .br |
684 | \-A INPUT \-p icmp \-\-icmp-type time-exceeded \-j ACCEPT | 686 | \-A INPUT \-p icmp \-\-icmp-type time-exceeded \-j ACCEPT |
685 | .br | 687 | .br |
686 | \-A INPUT \-p icmp \-\-icmp-type echo-request \-j ACCEPT | 688 | \-A INPUT \-p icmp \-\-icmp-type echo-request \-j ACCEPT |
687 | .br | 689 | .br |
690 | # drop STUN (WebRTC) requests | ||
691 | .br | ||
692 | -A OUTPUT -p udp --dport 3478 -j DROP | ||
693 | .br | ||
694 | -A OUTPUT -p udp --dport 3479 -j DROP | ||
695 | .br | ||
696 | -A OUTPUT -p tcp --dport 3478 -j DROP | ||
697 | .br | ||
698 | -A OUTPUT -p tcp --dport 3479 -j DROP | ||
699 | .br | ||
688 | COMMIT | 700 | COMMIT |
689 | .br | 701 | .br |
690 | 702 | ||