4 files changed, 50 insertions, 1 deletions

diff --git a/README.md b/README.md
index fa8c1ecd5..625df6554 100644
--- a/README.md
+++ b/README.md
@@ -31,10 +31,41 @@ Features: https://firejail.wordpress.com/features-3/
 Documentation: https://firejail.wordpress.com/documentation-2/
 
 FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
+`````
 
+`````
 # Current development version: 0.9.39
+`````
+
+`````
 
 ## Default seccomp filter update
 
 Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie).
 
+## STUN/WebRTC disabled in default netfilter configuration
+
+The  current netfilter configuration (--netfilter option) looks like this:
+`````
+             *filter
+              :INPUT DROP [0:0]
+              :FORWARD DROP [0:0]
+              :OUTPUT ACCEPT [0:0]
+              -A INPUT -i lo -j ACCEPT
+              -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+              # allow ping
+              -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+              -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+              -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+              # drop STUN (WebRTC) requests
+              -A OUTPUT -p udp --dport 3478 -j DROP
+              -A OUTPUT -p udp --dport 3479 -j DROP
+              -A OUTPUT -p tcp --dport 3478 -j DROP
+              -A OUTPUT -p tcp --dport 3479 -j DROP
+              COMMIT
+`````
+
+The filter is loaded by default for Firefox if a network namespace is configured:
+`````
+$ firejail --net=eth0 firefox
+`````
\ No newline at end of file
diff --git a/RELNOTES b/RELNOTES
index e9de34146..9e9a40bdc 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,7 @@
 firejail (0.9.39) baseline; urgency=low
   * work in progress!
   * default seccomp filter update
+  * disable STUN/WebRTC in default netfilter configuration
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Tue, 8 Feb 2016 10:00:00 -0500
 
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index a1c1b9c16..2ed09434a 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -30,12 +30,17 @@ static char *client_filter =
 ":FORWARD DROP [0:0]\n"
 ":OUTPUT ACCEPT [0:0]\n"
 "-A INPUT -i lo -j ACCEPT\n"
+"-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
 "# echo replay is handled by -m state RELATED/ESTABLISHED below\n"
 "#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n"
-"-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
 "-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n"
 "-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n"
 "-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n"
+"# disable STUN\n"
+"-A OUTPUT -p udp --dport 3478 -j DROP\n"
+"-A OUTPUT -p udp --dport 3479 -j DROP\n"
+"-A OUTPUT -p tcp --dport 3478 -j DROP\n"
+"-A OUTPUT -p tcp --dport 3479 -j DROP\n"
 "COMMIT\n";
 
 void check_netfilter_file(const char *fname) {
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index bab596e96..784f1583e 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -679,12 +679,24 @@ The default filter is as follows:
 .br
 \-A INPUT \-m state \-\-state RELATED,ESTABLISHED \-j ACCEPT
 .br
+# allow ping
+.br
 \-A INPUT \-p icmp \-\-icmp-type destination-unreachable \-j ACCEPT
 .br
 \-A INPUT \-p icmp \-\-icmp-type time-exceeded \-j ACCEPT
 .br
 \-A INPUT \-p icmp \-\-icmp-type echo-request \-j ACCEPT
 .br
+# drop STUN (WebRTC) requests
+.br
+-A OUTPUT -p udp --dport 3478 -j DROP
+.br
+-A OUTPUT -p udp --dport 3479 -j DROP
+.br
+-A OUTPUT -p tcp --dport 3478 -j DROP
+.br
+-A OUTPUT -p tcp --dport 3479 -j DROP
+.br
 COMMIT
 .br