diff options
-rw-r--r-- | README.md | 26 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/firejail/netfilter.c | 7 | ||||
-rw-r--r-- | src/man/firejail.txt | 12 |
4 files changed, 45 insertions, 1 deletions
@@ -38,3 +38,29 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ | |||
38 | 38 | ||
39 | Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie). | 39 | Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie). |
40 | 40 | ||
41 | ## STUN/WebRTC disabled in default netfilter configuration | ||
42 | |||
43 | The current netfilter configuration looks like this: | ||
44 | ````` | ||
45 | *filter | ||
46 | :INPUT DROP [0:0] | ||
47 | :FORWARD DROP [0:0] | ||
48 | :OUTPUT ACCEPT [0:0] | ||
49 | -A INPUT -i lo -j ACCEPT | ||
50 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
51 | # allow ping | ||
52 | -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT | ||
53 | -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT | ||
54 | -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | ||
55 | # drop STUN (WebRTC) requests | ||
56 | -A OUTPUT -p udp --dport 3478 -j DROP | ||
57 | -A OUTPUT -p udp --dport 3479 -j DROP | ||
58 | -A OUTPUT -p tcp --dport 3478 -j DROP | ||
59 | -A OUTPUT -p tcp --dport 3479 -j DROP | ||
60 | COMMIT | ||
61 | ````` | ||
62 | |||
63 | The filter is loaded by default for Firefox if a network namespace is configured: | ||
64 | ````` | ||
65 | $ firejail --net=eth0 firefox | ||
66 | ````` \ No newline at end of file | ||
@@ -1,6 +1,7 @@ | |||
1 | firejail (0.9.39) baseline; urgency=low | 1 | firejail (0.9.39) baseline; urgency=low |
2 | * work in progress! | 2 | * work in progress! |
3 | * default seccomp filter update | 3 | * default seccomp filter update |
4 | * disable STUN/WebRTC in default netfilter configuration | ||
4 | * bugfixes | 5 | * bugfixes |
5 | -- netblue30 <netblue30@yahoo.com> Tue, 8 Feb 2016 10:00:00 -0500 | 6 | -- netblue30 <netblue30@yahoo.com> Tue, 8 Feb 2016 10:00:00 -0500 |
6 | 7 | ||
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index a1c1b9c16..2ed09434a 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -30,12 +30,17 @@ static char *client_filter = | |||
30 | ":FORWARD DROP [0:0]\n" | 30 | ":FORWARD DROP [0:0]\n" |
31 | ":OUTPUT ACCEPT [0:0]\n" | 31 | ":OUTPUT ACCEPT [0:0]\n" |
32 | "-A INPUT -i lo -j ACCEPT\n" | 32 | "-A INPUT -i lo -j ACCEPT\n" |
33 | "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" | ||
33 | "# echo replay is handled by -m state RELATED/ESTABLISHED below\n" | 34 | "# echo replay is handled by -m state RELATED/ESTABLISHED below\n" |
34 | "#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n" | 35 | "#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n" |
35 | "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" | ||
36 | "-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n" | 36 | "-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n" |
37 | "-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n" | 37 | "-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n" |
38 | "-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n" | 38 | "-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n" |
39 | "# disable STUN\n" | ||
40 | "-A OUTPUT -p udp --dport 3478 -j DROP\n" | ||
41 | "-A OUTPUT -p udp --dport 3479 -j DROP\n" | ||
42 | "-A OUTPUT -p tcp --dport 3478 -j DROP\n" | ||
43 | "-A OUTPUT -p tcp --dport 3479 -j DROP\n" | ||
39 | "COMMIT\n"; | 44 | "COMMIT\n"; |
40 | 45 | ||
41 | void check_netfilter_file(const char *fname) { | 46 | void check_netfilter_file(const char *fname) { |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index bab596e96..784f1583e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -679,12 +679,24 @@ The default filter is as follows: | |||
679 | .br | 679 | .br |
680 | \-A INPUT \-m state \-\-state RELATED,ESTABLISHED \-j ACCEPT | 680 | \-A INPUT \-m state \-\-state RELATED,ESTABLISHED \-j ACCEPT |
681 | .br | 681 | .br |
682 | # allow ping | ||
683 | .br | ||
682 | \-A INPUT \-p icmp \-\-icmp-type destination-unreachable \-j ACCEPT | 684 | \-A INPUT \-p icmp \-\-icmp-type destination-unreachable \-j ACCEPT |
683 | .br | 685 | .br |
684 | \-A INPUT \-p icmp \-\-icmp-type time-exceeded \-j ACCEPT | 686 | \-A INPUT \-p icmp \-\-icmp-type time-exceeded \-j ACCEPT |
685 | .br | 687 | .br |
686 | \-A INPUT \-p icmp \-\-icmp-type echo-request \-j ACCEPT | 688 | \-A INPUT \-p icmp \-\-icmp-type echo-request \-j ACCEPT |
687 | .br | 689 | .br |
690 | # drop STUN (WebRTC) requests | ||
691 | .br | ||
692 | -A OUTPUT -p udp --dport 3478 -j DROP | ||
693 | .br | ||
694 | -A OUTPUT -p udp --dport 3479 -j DROP | ||
695 | .br | ||
696 | -A OUTPUT -p tcp --dport 3478 -j DROP | ||
697 | .br | ||
698 | -A OUTPUT -p tcp --dport 3479 -j DROP | ||
699 | .br | ||
688 | COMMIT | 700 | COMMIT |
689 | .br | 701 | .br |
690 | 702 | ||