50 files changed, 961 insertions, 371 deletions

diff --git a/Makefile b/Makefile
index 6e3593d20..03ae71026 100644
--- a/Makefile
+++ b/Makefile
@@ -17,7 +17,7 @@ SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee src/fids/fids
 SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter src/fzenity/fzenity
 SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
 SBOX_APPS_NON_DUMPABLE += src/fnettrace/fnettrace src/fnettrace-dns/fnettrace-dns src/fnettrace-sni/fnettrace-sni
-SBOX_APPS_NON_DUMPABLE += src/fnettrace-icmp/fnettrace-icmp
+SBOX_APPS_NON_DUMPABLE += src/fnettrace-icmp/fnettrace-icmp src/fnetlock/fnetlock
 MYDIRS = src/lib $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
diff --git a/etc/firejail.config b/etc/firejail.config
index e8bf45751..c3c355e3d 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -163,12 +163,12 @@
 # Xpra server command extra parameters. None by default; this is an example.
 # xpra-extra-params --dpi 96
 
-# Screen size for --x11=xvfb, default 800x600x24.  The third dimension is
+# Screen size for --x11=xvfb, default 800x600x24. The third dimension is
 # color depth; use 24 unless you know exactly what you're doing.
 # xvfb-screen 640x480x24
 # xvfb-screen 800x600x24
 # xvfb-screen 1024x768x24
 # xvfb-screen 1280x1024x24
 
-# Xvfb command extra parameters.  None by default; this is an example.
+# Xvfb command extra parameters. None by default; this is an example.
 # xvfb-extra-params -pixdepths 8 24 32
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
index 4e3590fed..e4497f832 100644
--- a/etc/inc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@@ -44,8 +44,7 @@ blacklist /usr/share/perl*
 # it is needed so that Firefox can run applications with Terminal=true in
 # their .desktop file (depending on what is installed). The reason is that
 # this is done via glib, which currently uses a hardcoded list of terminal
-# emulators:
-#   https://gitlab.gnome.org/GNOME/glib/-/issues/338
+# emulators: https://gitlab.gnome.org/GNOME/glib/-/issues/338.
 # And in this list, rxvt comes before xterm.
 blacklist ${PATH}/rxvt
 
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 29d5a8700..b0d1b7a66 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -547,6 +547,7 @@ blacklist ${HOME}/.config/midori
 blacklist ${HOME}/.config/mirage
 blacklist ${HOME}/.config/monero-project
 blacklist ${HOME}/.config/mono
+blacklist ${HOME}/.config/mov-cli
 blacklist ${HOME}/.config/mpDris2
 blacklist ${HOME}/.config/mpd
 blacklist ${HOME}/.config/mps-youtube
@@ -623,6 +624,7 @@ blacklist ${HOME}/.config/slimjet
 blacklist ${HOME}/.config/smplayer
 blacklist ${HOME}/.config/smtube
 blacklist ${HOME}/.config/smuxi
+blacklist ${HOME}/.config/sniffnet
 blacklist ${HOME}/.config/snox
 blacklist ${HOME}/.config/sound-juicer
 blacklist ${HOME}/.config/specialmailcollectionsrc
diff --git a/etc/profile-a-l/1password.profile b/etc/profile-a-l/1password.profile
index 690086099..63a04330b 100644
--- a/etc/profile-a-l/1password.profile
+++ b/etc/profile-a-l/1password.profile
@@ -13,7 +13,7 @@ whitelist ${HOME}/.config/1Password
 
 private-etc @tls-ca
 
-# Needed for keychain things, talking to Firefox, possibly other things?  Not sure how to narrow down
+# Needed for keychain things, talking to Firefox, possibly other things?
 ignore dbus-user none
 
 # Redirect
diff --git a/etc/profile-a-l/abrowser.profile b/etc/profile-a-l/abrowser.profile
index 2e6e8f1af..8b70756ba 100644
--- a/etc/profile-a-l/abrowser.profile
+++ b/etc/profile-a-l/abrowser.profile
@@ -12,6 +12,7 @@ mkdir ${HOME}/.cache/mozilla/abrowser
 mkdir ${HOME}/.mozilla
 whitelist ${HOME}/.cache/mozilla/abrowser
 whitelist ${HOME}/.mozilla
+whitelist /usr/share/abrowser
 
 # private-etc must first be enabled in firefox-common.profile
 #private-etc abrowser
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile
index b31f3f1b2..6abd87c92 100644
--- a/etc/profile-a-l/audacious.profile
+++ b/etc/profile-a-l/audacious.profile
@@ -14,6 +14,7 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 include disable-xdg.inc
 
@@ -26,6 +27,7 @@ netfilter
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 notv
 nou2f
@@ -39,8 +41,13 @@ private-cache
 private-dev
 private-tmp
 
-# dbus needed for MPRIS
-# dbus-user none
-# dbus-system none
+dbus-user filter
+dbus-user.own org.atheme.audacious
+dbus-user.own org.mpris.MediaPlayer2.audacious
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor
+dbus-user.talk org.mpris.MediaPlayer2.Player
+dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-a-l/basilisk.profile b/etc/profile-a-l/basilisk.profile
index a962bfe02..7d2fe143c 100644
--- a/etc/profile-a-l/basilisk.profile
+++ b/etc/profile-a-l/basilisk.profile
@@ -12,6 +12,7 @@ mkdir ${HOME}/.cache/moonchild productions/basilisk
 mkdir ${HOME}/.moonchild productions
 whitelist ${HOME}/.cache/moonchild productions/basilisk
 whitelist ${HOME}/.moonchild productions
+whitelist /usr/share/basilisk
 
 # Basilisk can use the full firejail seccomp filter (unlike firefox >= 60)
 seccomp
diff --git a/etc/profile-a-l/brave.profile b/etc/profile-a-l/brave.profile
index 071a279b0..b3994c974 100644
--- a/etc/profile-a-l/brave.profile
+++ b/etc/profile-a-l/brave.profile
@@ -9,8 +9,8 @@ include globals.local
 # noexec /tmp is included in chromium-common.profile and breaks Brave
 ignore noexec /tmp
 # TOR is installed in ${HOME}.
-# NOTE: chromium-common.profile enables apparmor. To keep that intact
-# you will need to uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default.
+# Note: chromium-common.profile enables apparmor. To keep that intact,
+# uncomment the 'brave + tor' rule in /etc/apparmor.d/local/firejail-default.
 # Alternatively you can add 'ignore apparmor' to your brave.local.
 ignore noexec ${HOME}
 # Causes slow starts (#4604)
diff --git a/etc/profile-a-l/cachy-browser.profile b/etc/profile-a-l/cachy-browser.profile
index 7a14d9464..05e1a69f1 100644
--- a/etc/profile-a-l/cachy-browser.profile
+++ b/etc/profile-a-l/cachy-browser.profile
@@ -13,26 +13,21 @@ mkdir ${HOME}/.cache/cachy
 mkdir ${HOME}/.cachy
 whitelist ${HOME}/.cache/cachy
 whitelist ${HOME}/.cachy
+whitelist /usr/share/cachy-browser
 
 # Add the next lines to your cachy-browser.local if you want to use the migration wizard.
 #noblacklist ${HOME}/.mozilla
 #whitelist ${HOME}/.mozilla
 
 # To enable KeePassXC Plugin add one of the following lines to your cachy-browser.local.
-# NOTE: start KeePassXC before CachyBrowser and keep it open to allow communication between them.
+# Note: Start KeePassXC before CachyBrowser and keep it open to allow communication between them.
 #whitelist ${RUNUSER}/kpxc_server
 #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
 
-whitelist /usr/share/doc
-whitelist /usr/share/gtk-doc/html
-whitelist /usr/share/mozilla
-whitelist /usr/share/webext
-include whitelist-usr-share-common.inc
-
 # Add the next line to your cachy-browser.local to enable private-bin (Arch Linux).
 #private-bin dbus-launch,dbus-send,cachy-browser,sh
 # Add the next line to your cachy-browser.local to enable private-etc.
-# NOTE: private-etc must first be enabled in firefox-common.local.
+# Note: private-etc must first be enabled in firefox-common.local.
 #private-etc cachy-browser
 
 dbus-user filter
diff --git a/etc/profile-a-l/cliqz.profile b/etc/profile-a-l/cliqz.profile
index d0b8cc0ef..d0bf9797e 100644
--- a/etc/profile-a-l/cliqz.profile
+++ b/etc/profile-a-l/cliqz.profile
@@ -15,6 +15,7 @@ mkdir ${HOME}/.config/cliqz
 whitelist ${HOME}/.cache/cliqz
 whitelist ${HOME}/.cliqz
 whitelist ${HOME}/.config/cliqz
+whitelist /usr/share/cliqz
 
 # private-etc must first be enabled in firefox-common.profile
 #private-etc cliqz
diff --git a/etc/profile-a-l/cyberfox.profile b/etc/profile-a-l/cyberfox.profile
index d1fff0004..a303c5979 100644
--- a/etc/profile-a-l/cyberfox.profile
+++ b/etc/profile-a-l/cyberfox.profile
@@ -12,6 +12,8 @@ mkdir ${HOME}/.8pecxstudios
 mkdir ${HOME}/.cache/8pecxstudios
 whitelist ${HOME}/.8pecxstudios
 whitelist ${HOME}/.cache/8pecxstudios
+whitelist /usr/share/8pecxstudios
+whitelist /usr/share/cyberfox
 
 # private-bin cyberfox,dbus-launch,dbus-send,env,sh,which
 # private-etc must first be enabled in firefox-common.profile
diff --git a/etc/profile-a-l/discord-ptb.profile b/etc/profile-a-l/discord-ptb.profile
index c39c0d843..265bf5615 100644
--- a/etc/profile-a-l/discord-ptb.profile
+++ b/etc/profile-a-l/discord-ptb.profile
@@ -1,17 +1,17 @@
-# Firejail profile for discord-ptb   
+# Firejail profile for discord-ptb
 # This file is overwritten after every install/update
 # Persistent local customizations
-include discord-ptb.local   
+include discord-ptb.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.config/discordptb   
+noblacklist ${HOME}/.config/discordptb
 
-mkdir ${HOME}/.config/discordptb   
-whitelist ${HOME}/.config/discordptb   
+mkdir ${HOME}/.config/discordptb
+whitelist ${HOME}/.config/discordptb
 
-private-bin discord-ptb,DiscordPTB   
-private-opt discord-ptb,DiscordPTB   
+private-bin discord-ptb,DiscordPTB
+private-opt discord-ptb,DiscordPTB
 
 # Redirect
 include discord-common.profile
diff --git a/etc/profile-a-l/firedragon.profile b/etc/profile-a-l/firedragon.profile
index 77487161e..3177fb989 100644
--- a/etc/profile-a-l/firedragon.profile
+++ b/etc/profile-a-l/firedragon.profile
@@ -13,6 +13,7 @@ mkdir ${HOME}/.cache/firedragon
 mkdir ${HOME}/.firedragon
 whitelist ${HOME}/.cache/firedragon
 whitelist ${HOME}/.firedragon
+whitelist /usr/share/firedragon
 
 # Add the next lines to your firedragon.local if you want to use the migration wizard.
 #noblacklist ${HOME}/.mozilla
diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile
index 6dc1fca8a..f12750fda 100644
--- a/etc/profile-a-l/firefox-common-addons.profile
+++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -74,7 +74,6 @@ whitelist ${HOME}/.zotero
 whitelist ${HOME}/dwhelper
 whitelist /usr/share/lua
 whitelist /usr/share/lua*
-whitelist /usr/share/vulkan
 
 # GNOME Shell integration (chrome-gnome-shell) needs dbus and python
 noblacklist ${HOME}/.local/share/gnome-shell
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index 42d12c5d9..9c8601e7b 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -29,9 +29,14 @@ mkdir ${HOME}/.pki
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.local/share/pki
 whitelist ${HOME}/.pki
+whitelist /usr/share/doc
+whitelist /usr/share/gtk-doc/html
+whitelist /usr/share/mozilla
+whitelist /usr/share/webext
 include whitelist-common.inc
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 1fcbf0562..659519ca8 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -6,7 +6,7 @@ include firefox.local
 # Persistent global definitions
 include globals.local
 
-# NOTE: sandboxing web browsers is as important as it is complex. Users might be
+# Note: Sandboxing web browsers is as important as it is complex. Users might be
 # interested in creating custom profiles depending on use case (e.g. one for
 # general browsing, another for banking, ...). Consult our FAQ/issue tracker for more
 # info. Here are a few links to get you going.
@@ -30,19 +30,14 @@ whitelist ${HOME}/.cache/mozilla/firefox
 whitelist ${HOME}/.mozilla
 
 # Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support.
-# NOTE: start KeePassXC before Firefox and keep it open to allow communication between them.
+# Note: Start KeePassXC before Firefox and keep it open to allow communication between them.
 #whitelist ${RUNUSER}/kpxc_server
 #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
 
-whitelist /usr/share/doc
 whitelist /usr/share/firefox
 whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
-whitelist /usr/share/gtk-doc/html
-whitelist /usr/share/mozilla
-whitelist /usr/share/webext
 whitelist ${RUNUSER}/*firefox*
 whitelist ${RUNUSER}/psd/*firefox*
-include whitelist-usr-share-common.inc
 
 # firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.
 #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile
index 70a302138..ddfe57879 100644
--- a/etc/profile-a-l/gnome-calendar.profile
+++ b/etc/profile-a-l/gnome-calendar.profile
@@ -53,7 +53,7 @@ dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.gnome.evolution.dataserver.*
 #dbus-user.talk org.gnome.OnlineAccounts
 #dbus-user.talk org.gnome.ControlCenter
-# NOTE: dbus-system none fails, filter without rules works.
+# Note: dbus-system none fails, filter without rules works.
 dbus-system filter
 #dbus-system.talk org.freedesktop.timedate1
 #dbus-system.talk org.freedesktop.login1
diff --git a/etc/profile-a-l/icecat.profile b/etc/profile-a-l/icecat.profile
index 660343a29..b0a42fb77 100644
--- a/etc/profile-a-l/icecat.profile
+++ b/etc/profile-a-l/icecat.profile
@@ -12,6 +12,7 @@ mkdir ${HOME}/.cache/mozilla/icecat
 mkdir ${HOME}/.mozilla
 whitelist ${HOME}/.cache/mozilla/icecat
 whitelist ${HOME}/.mozilla
+whitelist /usr/share/icecat
 
 # private-etc must first be enabled in firefox-common.profile
 #private-etc icecat
diff --git a/etc/profile-a-l/krunner.profile b/etc/profile-a-l/krunner.profile
index 27feccf40..a0244ef47 100644
--- a/etc/profile-a-l/krunner.profile
+++ b/etc/profile-a-l/krunner.profile
@@ -6,9 +6,9 @@ include krunner.local
 # Persistent global definitions
 include globals.local
 
-# - programs started in krunner run with this generic profile
-# - when a file is opened in krunner, the file viewer runs in its own sandbox
-#   with its own profile, if it is sandboxed automatically
+# Programs started in krunner run with this generic profile.
+# When a file is opened in krunner, the file viewer runs in its own sandbox
+# with its own profile, if it is sandboxed automatically.
 
 # noblacklist ${HOME}/.cache/krunner
 # noblacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
index 5cf30ed40..82336969d 100644
--- a/etc/profile-a-l/kube.profile
+++ b/etc/profile-a-l/kube.profile
@@ -6,11 +6,10 @@ include kube.local
 # Persistent global definitions
 include globals.local
 
-noblacklist ${HOME}/.gnupg
-noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.cache/kube
 noblacklist ${HOME}/.config/kube
 noblacklist ${HOME}/.config/sink
+noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.local/share/kube
 noblacklist ${HOME}/.local/share/sink
 
@@ -22,23 +21,28 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
-mkdir ${HOME}/.gnupg
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+
 mkdir ${HOME}/.cache/kube
 mkdir ${HOME}/.config/kube
 mkdir ${HOME}/.config/sink
+mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.local/share/kube
 mkdir ${HOME}/.local/share/sink
-whitelist ${HOME}/.gnupg
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${HOME}/.cache/kube
 whitelist ${HOME}/.config/kube
 whitelist ${HOME}/.config/sink
+whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.local/share/kube
 whitelist ${HOME}/.local/share/sink
 whitelist ${RUNUSER}/gnupg
-whitelist /usr/share/kube
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
+whitelist /usr/share/kube
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -63,7 +67,6 @@ tracelog
 
 # disable-mnt
 # Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
-# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
 private-bin kube,sink_synchronizer
 private-cache
 private-dev
@@ -75,6 +78,8 @@ dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.freedesktop.Notifications
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
 dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index b84cbb119..65a4a3787 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -19,21 +19,16 @@ whitelist ${HOME}/.librewolf
 #whitelist ${HOME}/.mozilla
 
 # To enable KeePassXC Plugin add one of the following lines to your librewolf.local.
-# NOTE: start KeePassXC before Librewolf and keep it open to allow communication between them.
+# Note: Start KeePassXC before Librewolf and keep it open to allow communication between them.
 #whitelist ${RUNUSER}/kpxc_server
 #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
 
-whitelist /usr/share/doc
-whitelist /usr/share/gtk-doc/html
 whitelist /usr/share/librewolf
-whitelist /usr/share/mozilla
-whitelist /usr/share/webext
-include whitelist-usr-share-common.inc
 
 # Add the next line to your librewolf.local to enable private-bin (Arch Linux).
 #private-bin dbus-launch,dbus-send,librewolf,sh
 # Add the next line to your librewolf.local to enable private-etc.
-# NOTE: private-etc must first be enabled in firefox-common.local.
+# Note: private-etc must first be enabled in firefox-common.local.
 #private-etc librewolf
 
 dbus-user filter
diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile
index 15474c96e..7b0135695 100644
--- a/etc/profile-m-z/minetest.profile
+++ b/etc/profile-m-z/minetest.profile
@@ -6,8 +6,9 @@ include minetest.local
 # Persistent global definitions
 include globals.local
 
-# In order to save in-game screenshots to a persistent location edit ~/.minetest/minetest.conf:
-#   screenshot_path = /home/<USER>/.minetest/screenshots
+# In order to save in-game screenshots to a persistent location,
+# edit ~/.minetest/minetest.conf:
+# screenshot_path = /home/<USER>/.minetest/screenshots
 
 noblacklist ${HOME}/.cache/minetest
 noblacklist ${HOME}/.minetest
diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile
index c5f764912..8007b887a 100644
--- a/etc/profile-m-z/mov-cli.profile
+++ b/etc/profile-m-z/mov-cli.profile
@@ -8,9 +8,13 @@ include mov-cli.local
 # added by included profile
 #include globals.local
 
+noblacklist ${HOME}/.config/mov-cli
+
 include disable-proc.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.config/mov-cli
+whitelist ${HOME}/.config/mov-cli
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc
 
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index bd01d4082..fd35483be 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -9,7 +9,7 @@ include globals.local
 
 # In order to save screenshots to a persistent location,
 # edit ~/.config/mpv/foobar.conf:
-#    screenshot-directory=~/Pictures
+# screenshot-directory=~/Pictures
 
 # mpv has a powerful Lua API and some of the Lua scripts interact with
 # external resources which are blocked by firejail. In such cases you need to
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index f3b0c8a49..4c463521c 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -7,7 +7,7 @@ include nodejs-common.local
 # added by caller profile
 #include globals.local
 
-# NOTE: gulp, node-gyp, npm, npx, semver and yarn are all node scripts
+# Note: gulp, node-gyp, npm, npx, semver and yarn are all node scripts
 # using the `#!/usr/bin/env node` shebang. By sandboxing node the full
 # node.js stack will be firejailed. The only exception is nvm, which is implemented
 # as a sourced shell function, not an executable binary. Hence it is not
diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile
index db4113f94..7d0e01d98 100644
--- a/etc/profile-m-z/noprofile.profile
+++ b/etc/profile-m-z/noprofile.profile
@@ -1,17 +1,16 @@
 # This is the weakest possible firejail profile.
-# If a program still fail with this profile, it is incompatible with firejail.
+# If a program still fails with this profile, it is incompatible with firejail.
 # (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72)
 #
 # Usage:
-#   1. download
-#   2. firejail --profile=noprofile.profile /path/to/program
+# $ firejail --profile=noprofile.profile /path/to/program
 
 # Keep in mind that even with this profile some things are done
-# which can break the program.
-# - some env-vars are cleared
-# - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes'
-# - a new private pid-namespace is created
-# - a minimal hardcoded blacklist is applied
+# which can break the program:
+# - some env-vars are cleared;
+# - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes';
+# - a new private pid-namespace is created;
+# - a minimal hardcoded blacklist is applied;
 # - ...
 
 noblacklist /sys/fs
diff --git a/etc/profile-m-z/palemoon.profile b/etc/profile-m-z/palemoon.profile
index 24701b657..ab4e24595 100644
--- a/etc/profile-m-z/palemoon.profile
+++ b/etc/profile-m-z/palemoon.profile
@@ -12,6 +12,8 @@ mkdir ${HOME}/.cache/moonchild productions/pale moon
 mkdir ${HOME}/.moonchild productions
 whitelist ${HOME}/.cache/moonchild productions/pale moon
 whitelist ${HOME}/.moonchild productions
+whitelist /usr/share/moonchild productions
+whitelist /usr/share/palemoon
 
 # Palemoon can use the full firejail seccomp filter (unlike firefox >= 60)
 seccomp
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile
index 3ff033e0b..e274b6443 100644
--- a/etc/profile-m-z/pingus.profile
+++ b/etc/profile-m-z/pingus.profile
@@ -23,8 +23,9 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.pingus
 whitelist ${HOME}/.pingus
+# Debian keeps games data under /usr/share/games
+whitelist /usr/share/games/pingus
 whitelist /usr/share/pingus
-whitelist /usr/share/games/pingus      # Debian keeps games data under /usr/share/games
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/rtin.profile b/etc/profile-m-z/rtin.profile
index 87aa69bcb..b1acf8b2e 100644
--- a/etc/profile-m-z/rtin.profile
+++ b/etc/profile-m-z/rtin.profile
@@ -1,6 +1,6 @@
 # Firejail profile for rtin
 # Description: ncurses-based Usenet newsreader
-#              symlink to tin, same as `tin -r`
+# symlink to tin, same as `tin -r`
 # This file is overwritten after every install/update
 # Persistent local customizations
 include rtin.local
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile
index 3e1899ef3..8cb4e4173 100644
--- a/etc/profile-m-z/signal-desktop.profile
+++ b/etc/profile-m-z/signal-desktop.profile
@@ -11,7 +11,9 @@ ignore noexec /tmp
 
 noblacklist ${HOME}/.config/Signal
 
-# These lines are needed to allow Firefox to open links
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
 noblacklist ${HOME}/.mozilla
 whitelist ${HOME}/.mozilla/firefox/profiles.ini
 
@@ -21,11 +23,9 @@ whitelist ${HOME}/.config/Signal
 private-etc @tls-ca
 
 dbus-user filter
-
 # allow D-Bus notifications
 dbus-user.talk org.freedesktop.Notifications
-
-# allow D-Bus communication with Firefox browsers for opening links
+# allow D-Bus communication with firefox for opening links
 dbus-user.talk org.mozilla.*
 
 ignore dbus-user none
diff --git a/etc/profile-m-z/sniffnet.profile b/etc/profile-m-z/sniffnet.profile
new file mode 100644
index 000000000..eb18c1f01
--- /dev/null
+++ b/etc/profile-m-z/sniffnet.profile
@@ -0,0 +1,49 @@
+# Firejail profile for sniffnet
+# Description: Network traffic monitor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include sniffnet.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/sniffnet
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+#caps.drop all
+caps.keep net_admin,net_raw
+netfilter
+nodvd
+nogroups
+noinput
+# nonewprivs - breaks network traffic capture for unprivileged users
+# noroot
+notv
+nou2f
+novideo
+#seccomp
+tracelog
+
+disable-mnt
+#private-bin sniffnet
+# private-dev prevents (some) interfaces from being shown.
+private-etc @network,@tls-ca
+private-tmp
+
+dbus-user none
+dbus-system none
+
+#restrict-namespaces
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile
index f07b10319..c893a92fb 100644
--- a/etc/profile-m-z/spotify.profile
+++ b/etc/profile-m-z/spotify.profile
@@ -16,6 +16,7 @@ include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
+include disable-proc.inc
 include disable-programs.inc
 
 mkdir ${HOME}/.cache/spotify
@@ -34,6 +35,7 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 notv
 nou2f
@@ -50,8 +52,11 @@ private-opt spotify
 private-srv none
 private-tmp
 
-# dbus needed for MPRIS
-# dbus-user none
-# dbus-system none
+dbus-user filter
+dbus-user.own org.mpris.MediaPlayer2.spotify
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.freedesktop.secrets
+dbus-user.talk org.mpris.MediaPlayer2.Player
+dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile
index 63d629a32..99317c9dc 100644
--- a/etc/profile-m-z/steam.profile
+++ b/etc/profile-m-z/steam.profile
@@ -133,9 +133,9 @@ whitelist ${HOME}/.steampid
 include whitelist-common.inc
 include whitelist-var-common.inc
 
-# NOTE: The following were intentionally left out as they are alternative
+# Note: The following were intentionally left out as they are alternative
 # (i.e.: unnecessary and/or legacy) paths whose existence may potentially
-# clobber other paths (see #4225).  If you use any, either add the entry to
+# clobber other paths (see #4225). If you use any, either add the entry to
 # steam.local or move the contents to a path listed above (or open an issue if
 # it's missing above).
 #mkdir ${HOME}/.config/RogueLegacyStorageContainer
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile
index 5df207e25..f2405a7d3 100644
--- a/etc/profile-m-z/thunderbird.profile
+++ b/etc/profile-m-z/thunderbird.profile
@@ -47,10 +47,7 @@ whitelist ${HOME}/.thunderbird
 
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
-whitelist /usr/share/mozilla
 whitelist /usr/share/thunderbird
-whitelist /usr/share/webext
-include whitelist-usr-share-common.inc
 
 # machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required
 #machine-id
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile
index a03a6caa0..35ff14e88 100644
--- a/etc/profile-m-z/tin.profile
+++ b/etc/profile-m-z/tin.profile
@@ -24,8 +24,8 @@ include disable-xdg.inc
 mkdir ${HOME}/.tin
 mkfile ${HOME}/.newsrc
 # Note: files/directories directly in ${HOME} can't be whitelisted, as
-#       tin saves .newsrc by renaming a temporary file, which is not possible for
-#       bind-mounted files.
+# tin saves .newsrc by renaming a temporary file, which is not possible for
+# bind-mounted files.
 #whitelist ${HOME}/.newsrc
 #whitelist ${HOME}/.tin
 #include whitelist-common.inc
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
index ba68ccb53..2578eb0be 100644
--- a/etc/profile-m-z/trojita.profile
+++ b/etc/profile-m-z/trojita.profile
@@ -7,7 +7,6 @@ include trojita.local
 include globals.local
 
 noblacklist ${HOME}/.abook
-noblacklist ${HOME}/.mozilla
 noblacklist ${HOME}/.cache/flaska.net/trojita
 noblacklist ${HOME}/.config/flaska.net
 
@@ -19,11 +18,16 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+# The lines below are needed to find the default Firefox profile name, to allow
+# opening links in an existing instance of Firefox (note that it still fails if
+# there isn't a Firefox instance running with the default profile; see #5352)
+noblacklist ${HOME}/.mozilla
+whitelist ${HOME}/.mozilla/firefox/profiles.ini
+
 mkdir ${HOME}/.abook
 mkdir ${HOME}/.cache/flaska.net/trojita
 mkdir ${HOME}/.config/flaska.net
 whitelist ${HOME}/.abook
-whitelist ${HOME}/.mozilla/firefox/profiles.ini
 whitelist ${HOME}/.cache/flaska.net/trojita
 whitelist ${HOME}/.config/flaska.net
 include whitelist-common.inc
@@ -49,7 +53,6 @@ seccomp
 tracelog
 
 # disable-mnt
-# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
 private-bin trojita
 private-cache
 private-dev
@@ -58,6 +61,8 @@ private-tmp
 
 dbus-user filter
 dbus-user.talk org.freedesktop.secrets
+# allow D-Bus communication with firefox for opening links
+dbus-user.talk org.mozilla.*
 dbus-system none
 
 restrict-namespaces
diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile
index 18f1ca79a..bf6f45e41 100644
--- a/etc/profile-m-z/waterfox.profile
+++ b/etc/profile-m-z/waterfox.profile
@@ -12,6 +12,7 @@ mkdir ${HOME}/.cache/waterfox
 mkdir ${HOME}/.waterfox
 whitelist ${HOME}/.cache/waterfox
 whitelist ${HOME}/.waterfox
+whitelist /usr/share/waterfox
 
 # Add the next lines to your watefox.local if you want to use the migration wizard.
 #noblacklist ${HOME}/.mozilla
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 8a8833968..ce69738eb 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -774,6 +774,7 @@ slashem
 smplayer
 smtube
 smuxi-frontend-gnome
+sniffnet
 snox
 soffice
 sol
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index 458fb0dd1..e07776163 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -65,7 +65,7 @@ void netfilter_netlock(pid_t pid) {
                         umask(orig_umask);
 
                         char *cmd;
-                        if (asprintf(&cmd, "%s -e \"%s/firejail/fnettrace --tail --log=%s\"", terminal, LIBDIR, flog) == -1)
+                        if (asprintf(&cmd, "%s -e \"%s/firejail/fnetlock --tail --log=%s\"", terminal, LIBDIR, flog) == -1)
                                 errExit("asprintf");
                         int rv = system(cmd);
                         (void) rv;
@@ -74,7 +74,7 @@ void netfilter_netlock(pid_t pid) {
         }
 
         char *cmd;
-        if (asprintf(&cmd, "%s/firejail/fnettrace --netfilter --log=%s", LIBDIR, flog) == -1)
+        if (asprintf(&cmd, "%s/firejail/fnetlock --log=%s", LIBDIR, flog) == -1)
                 errExit("asprintf");
         free(flog);
 
diff --git a/src/fnetlock/Makefile b/src/fnetlock/Makefile
new file mode 100644
index 000000000..789df06ac
--- /dev/null
+++ b/src/fnetlock/Makefile
@@ -0,0 +1,9 @@
+.SUFFIXES:
+ROOT = ../..
+-include $(ROOT)/config.mk
+
+MOD_DIR = src/fnetlock
+PROG = fnetlock
+TARGET = $(PROG)
+
+include $(ROOT)/src/prog.mk
diff --git a/src/fnetlock/fnetlock.h b/src/fnetlock/fnetlock.h
new file mode 100644
index 000000000..018f58223
--- /dev/null
+++ b/src/fnetlock/fnetlock.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2014-2023 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef FNETLOCK_H
+#define FNETLOCK_H
+
+#include "../include/common.h"
+#include <unistd.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <time.h>
+#include <stdarg.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+
+
+//#define DEBUG 1
+
+#define NETLOCK_INTERVAL 60     // seconds
+
+static inline uint8_t hash(uint32_t ip) {
+        uint8_t *ptr = (uint8_t *) &ip;
+        // simple byte xor
+        return *ptr ^ *(ptr + 1) ^ *(ptr + 2) ^ *(ptr + 3);
+}
+
+// main.c
+void logprintf(char* fmt, ...);
+
+// tail.c
+void tail(const char *logfile);
+
+#endif
diff --git a/src/fnetlock/main.c b/src/fnetlock/main.c
new file mode 100644
index 000000000..d4169b7e1
--- /dev/null
+++ b/src/fnetlock/main.c
@@ -0,0 +1,394 @@
+/*
+ * Copyright (C) 2014-2023 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fnetlock.h"
+#include <limits.h>
+#include <sys/ioctl.h>
+#include <sys/prctl.h>
+#include <signal.h>
+#define MAX_BUF_SIZE (64 * 1024)
+
+static int arg_tail = 0;
+static char *arg_log = NULL;
+
+//*****************************************************************
+// traffic trace storage - hash table for fast access + linked list for display purposes
+//*****************************************************************
+typedef struct hnode_t {
+        struct hnode_t *hnext;  // used for hash table and unused linked list
+        struct hnode_t *dnext;  // used to display streams on the screen
+        uint32_t ip_src;
+        uint16_t port_src;
+        uint8_t protocol;
+
+        // the firewall is build based on source address, and in the linked list
+        // we could have elements with the same address but different ports
+        uint8_t ip_instance;
+} HNode;
+
+// hash table
+#define HMAX 256
+HNode *htable[HMAX] = {NULL};
+static int have_traffic = 0;
+
+// using protocol 0 and port 0 for ICMP
+static void hnode_add(uint32_t ip_src, uint8_t protocol, uint16_t port_src) {
+        uint8_t h = hash(ip_src);
+        int ip_instance = 0;
+        HNode *ptr = htable[h];
+        while (ptr) {
+                if (ptr->ip_src == ip_src) {
+                        ip_instance++;
+                        if (ptr->port_src == port_src && ptr->protocol == protocol)
+                                return;
+                }
+                ptr = ptr->hnext;
+        }
+
+        logprintf("netlock: adding %d.%d.%d.%d\n", PRINT_IP(ip_src));
+        have_traffic = 1;
+        HNode *hnew = malloc(sizeof(HNode));
+        assert(hnew);
+        hnew->ip_src = ip_src;
+        hnew->port_src = port_src;
+        hnew->protocol = protocol;
+        hnew->hnext = NULL;
+        hnew->ip_instance = ip_instance + 1;
+        if (htable[h] == NULL)
+                htable[h] = hnew;
+        else {
+                hnew->hnext = htable[h];
+                htable[h] = hnew;
+        }
+}
+
+
+
+
+// trace rx traffic coming in
+static void run_trace(void) {
+        logprintf("netlock: accumulating traffic for %d seconds\n", NETLOCK_INTERVAL);
+
+        // trace only rx ipv4 tcp and upd
+        int s1 = socket(AF_INET, SOCK_RAW, IPPROTO_TCP);
+        int s2 = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
+        if (s1 < 0 || s2 < 0)
+                errExit("socket");
+
+
+        unsigned start = time(NULL);
+        unsigned char buf[MAX_BUF_SIZE];
+        // FIXME: error: variable 'bw' set but not used [-Werror,-Wunused-but-set-variable]
+        //unsigned bw = 0; // bandwidth calculations
+
+        int printed = 0;
+        while (1) {
+                unsigned runtime = time(NULL) - start;
+                if ( runtime >= NETLOCK_INTERVAL)
+                        break;
+                if (runtime % 10 == 0) {
+                        if (!printed)
+                                logprintf("netlock: %u seconds remaining\n", NETLOCK_INTERVAL - runtime);
+                        printed = 1;
+                }
+                else
+                        printed = 0;
+
+                fd_set rfds;
+                FD_ZERO(&rfds);
+                FD_SET(s1, &rfds);
+                FD_SET(s2, &rfds);
+                int maxfd = (s1 > s2) ? s1 : s2;
+                maxfd++;
+
+                struct timeval tv;
+                tv.tv_sec = 1;
+                tv.tv_usec = 0;
+
+                int rv = select(maxfd, &rfds, NULL, NULL, &tv);
+                if (rv < 0)
+                        errExit("select");
+                else if (rv == 0)
+                        continue;
+
+
+                // rx tcp traffic by default
+                int sock = s1;
+
+                if (FD_ISSET(s2, &rfds))
+                        sock = s2;
+
+                unsigned bytes = recvfrom(sock, buf, MAX_BUF_SIZE, 0, NULL, NULL);
+                if (bytes >= 20) { // size of IP header
+#ifdef DEBUG
+                        {
+                                uint32_t ip_src;
+                                memcpy(&ip_src, buf + 12, 4);
+                                ip_src = ntohl(ip_src);
+
+                                uint32_t ip_dst;
+                                memcpy(&ip_dst, buf + 16, 4);
+                                ip_dst = ntohl(ip_dst);
+                                printf("%d.%d.%d.%d -> %d.%d.%d.%d, %u bytes\n", PRINT_IP(ip_src), PRINT_IP(ip_dst), bytes);
+                        }
+#endif
+                        // filter out loopback traffic
+                        if (buf[12] != 127 && buf[16] != 127) {
+                                // FIXME: error: variable 'bw' set but not used [-Werror,-Wunused-but-set-variable]
+                                //bw += bytes + 14; // assume a 14 byte Ethernet layer
+
+                                uint32_t ip_src;
+                                memcpy(&ip_src, buf + 12, 4);
+                                ip_src = ntohl(ip_src);
+
+                                uint8_t hlen = (buf[0] & 0x0f) * 4;
+                                uint16_t port_src = 0;
+                                memcpy(&port_src, buf + hlen, 2);
+                                port_src = ntohs(port_src);
+
+                                uint8_t protocol = buf[9];
+                                hnode_add(ip_src, protocol, port_src);
+                        }
+                }
+        }
+
+        close(s1);
+        close(s2);
+}
+
+static char *filter_start =
+        "*filter\n"
+        ":INPUT DROP [0:0]\n"
+        ":FORWARD DROP [0:0]\n"
+        ":OUTPUT DROP [0:0]\n";
+
+// return 1 if error
+static int print_filter(FILE *fp) {
+        fprintf(fp, "%s\n", filter_start);
+        fprintf(fp, "-A INPUT -s 127.0.0.0/8 -j ACCEPT\n");
+        fprintf(fp, "-A OUTPUT -d 127.0.0.0/8 -j ACCEPT\n");
+        fprintf(fp, "\n");
+
+        int i;
+        for (i = 0; i < HMAX; i++) {
+                HNode *ptr = htable[i];
+                while (ptr) {
+                        // filter rules are targeting ip address, the port number is disregarded,
+                        // so we look only at the first instance of an address
+                        if (ptr->ip_instance == 1) {
+                                char *protocol = (ptr->protocol == 6) ? "tcp" : "udp";
+                                fprintf(fp, "-A INPUT -s %d.%d.%d.%d -p %s  -j ACCEPT\n",
+                                        PRINT_IP(ptr->ip_src),
+                                        protocol);
+                                fprintf(fp, "-A OUTPUT -d %d.%d.%d.%d -p %s  -j ACCEPT\n",
+                                        PRINT_IP(ptr->ip_src),
+                                        protocol);
+                                fprintf(fp, "\n");
+                        }
+                        ptr = ptr->hnext;
+                }
+        }
+        fprintf(fp, "COMMIT\n");
+
+        return 0;
+}
+
+static char *flush_rules[] = {
+        "-P INPUT ACCEPT",
+//      "-P FORWARD DENY",
+        "-P OUTPUT ACCEPT",
+        "-F",
+        "-X",
+//      "-t nat -F",
+//      "-t nat -X",
+//      "-t mangle -F",
+//      "-t mangle -X",
+//      "iptables -t raw -F",
+//      "-t raw -X",
+        NULL
+};
+
+static void deploy_netfilter(void) {
+        int rv;
+        char *cmd;
+        int i;
+
+        if (have_traffic == 0) {
+                logprintf("Sorry, no network traffic was detected. The firewall was not configured.\n");
+                return;
+        }
+        // find iptables command
+        char *iptables = NULL;
+        char *iptables_restore = NULL;
+        if (access("/sbin/iptables", X_OK) == 0) {
+                iptables = "/sbin/iptables";
+                iptables_restore = "/sbin/iptables-restore";
+        }
+        else if (access("/usr/sbin/iptables", X_OK) == 0) {
+                iptables = "/usr/sbin/iptables";
+                iptables_restore = "/usr/sbin/iptables-restore";
+        }
+        if (iptables == NULL || iptables_restore == NULL) {
+                fprintf(stderr, "Error: iptables command not found, netfilter not configured\n");
+                exit(1);
+        }
+
+        // flush all netfilter rules
+        i = 0;
+        while (flush_rules[i]) {
+                char *cmd;
+                if (asprintf(&cmd, "%s %s", iptables, flush_rules[i]) == -1)
+                        errExit("asprintf");
+                int rv = system(cmd);
+                (void) rv;
+                free(cmd);
+                i++;
+        }
+
+        // create temporary file
+        char fname[] = "/tmp/firejail-XXXXXX";
+        int fd = mkstemp(fname);
+        if (fd == -1) {
+                fprintf(stderr, "Error: cannot create temporary configuration file\n");
+                exit(1);
+        }
+
+        FILE *fp = fdopen(fd, "w");
+        if (!fp) {
+                rv = unlink(fname);
+                (void) rv;
+                fprintf(stderr, "Error: cannot create temporary configuration file\n");
+                exit(1);
+        }
+        print_filter(fp);
+        fclose(fp);
+
+        logprintf("\n\n");
+        logprintf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
+        if (asprintf(&cmd, "cat %s >> %s", fname, arg_log) == -1)
+                errExit("asprintf");
+        rv = system(cmd);
+        (void) rv;
+        free(cmd);
+
+        if (asprintf(&cmd, "cat %s", fname) == -1)
+                errExit("asprintf");
+        rv = system(cmd);
+        (void) rv;
+        free(cmd);
+        logprintf("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
+
+
+        // configuring
+        if (asprintf(&cmd, "%s %s", iptables_restore, fname) == -1)
+                errExit("asprintf");
+        rv = system(cmd);
+        if (rv)
+                fprintf(stdout, "Warning: possible netfilter problem!");
+        free(cmd);
+
+        rv = unlink(fname);
+        (void) rv;
+        logprintf("\nnetlock: firewall deployed\n");
+}
+
+void logprintf(char *fmt, ...) {
+        if (!arg_log)
+                return;
+
+        FILE *fp = fopen(arg_log, "a");
+        if (fp) { // disregard if error
+                va_list args;
+                va_start(args, fmt);
+                vfprintf(fp, fmt, args);
+                va_end(args);
+                fclose(fp);
+        }
+
+        va_list args;
+        va_start(args, fmt);
+        vfprintf(stdout, fmt, args);
+        va_end(args);
+}
+
+static const char *const usage_str =
+        "Usage: fnettrace [OPTIONS]\n"
+        "Options:\n"
+        "   --help, -? - this help screen\n"
+        "   --log=filename - netlocker logfile\n"
+        "   --tail - \"tail -f\" functionality\n";
+
+static void usage(void) {
+        puts(usage_str);
+}
+
+int main(int argc, char **argv) {
+        int i;
+
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") == 0) {
+                        usage();
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--tail") == 0)
+                        arg_tail = 1;
+                else if (strncmp(argv[i], "--log=", 6) == 0)
+                        arg_log = argv[i] + 6;
+                else {
+                        fprintf(stderr, "Error: invalid argument\n");
+                        return 1;
+                }
+        }
+
+        // tail
+        if (arg_tail) {
+                if (!arg_log) {
+                        fprintf(stderr, "Error: no log file\n");
+                        usage();
+                        exit(1);
+                }
+
+                tail(arg_log);
+                sleep(5);
+                exit(0);
+        }
+
+        if (getuid() != 0) {
+                fprintf(stderr, "Error: you need to be root to run this program\n");
+                return 1;
+        }
+
+        // kill the process if the parent died
+        prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+
+        logprintf("netlock: starting network lockdown\n");
+        run_trace();
+
+        // TCP path MTU discovery will not work properly since the firewall drops all ICMP packets
+        // Instead, we use iPacketization Layer PMTUD (RFC 4821) support in Linux kernel
+        int rv = system("echo 1 > /proc/sys/net/ipv4/tcp_mtu_probing");
+        (void) rv;
+
+        deploy_netfilter();
+        sleep(3);
+        if (arg_log)
+                unlink(arg_log);
+
+        return 0;
+}
diff --git a/src/fnettrace/tail.c b/src/fnetlock/tail.c
index 3b1b274f8..e5d0367f6 100644
--- a/src/fnettrace/tail.c
+++ b/src/fnetlock/tail.c
@@ -17,7 +17,7 @@
  * with this program; if not, write to the Free Software Foundation, Inc.,
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
-#include "fnettrace.h"
+#include "fnetlock.h"
 
 void tail(const char *logfile) {
         assert(logfile);
diff --git a/src/fnettrace-dns/main.c b/src/fnettrace-dns/main.c
index 1cde1942c..6324a17db 100644
--- a/src/fnettrace-dns/main.c
+++ b/src/fnettrace-dns/main.c
@@ -26,6 +26,7 @@
 #include <signal.h>
 #define MAX_BUF_SIZE (64 * 1024)
 
+static int arg_nolocal = 0;
 static char last[512] = {'\0'};
 
 // pkt - start of DNS layer
@@ -116,7 +117,7 @@ static void print_date(void) {
         struct tm *t = localtime(&now);
 
         if (day != t->tm_yday) {
-                printf("\nDNS trace for %s", ctime(&now));
+                printf("DNS trace for %s", ctime(&now));
                 day = t->tm_yday;
         }
         fflush(0);
@@ -159,6 +160,14 @@ static void run_trace(void) {
                         memcpy(&ip_src, buf + 14 + 12, 4);
                         ip_src = ntohl(ip_src);
 
+                        if (arg_nolocal) {
+                                if ((ip_src & 0xff000000) == 0x7f000000 ||      // 127.0.0.0/8
+                                    (ip_src & 0xff000000) == 0x0a000000 ||      // 10.0.0.0/8
+                                    (ip_src & 0xffff0000) == 0xc0a80000 ||      // 192.168.0.0/16
+                                    (ip_src & 0xfff00000) == 0xac100000)        // 172.16.0.0/12
+                                        continue;
+                        }
+
                         // if DNS packet, extract the query
                         if (port_src == 53 && protocol == 0x11) // UDP protocol
                                 print_dns(ip_src, buf + 14 + ip_hlen + 8); // IP and UDP header len
@@ -170,7 +179,8 @@ static void run_trace(void) {
 static const char *const usage_str =
         "Usage: fnettrace-dns [OPTIONS]\n"
         "Options:\n"
-        "   --help, -? - this help screen\n";
+        "   --help, -? - this help screen\n"
+        "   --nolocal\n";
 
 static void usage(void) {
         puts(usage_str);
@@ -184,6 +194,8 @@ int main(int argc, char **argv) {
                         usage();
                         return 0;
                 }
+                else if (strcmp(argv[i], "--nolocal") == 0)
+                        arg_nolocal = 1;
                 else {
                         fprintf(stderr, "Error: invalid argument\n");
                         return 1;
diff --git a/src/fnettrace-sni/main.c b/src/fnettrace-sni/main.c
index e7782d656..d4fbf703a 100644
--- a/src/fnettrace-sni/main.c
+++ b/src/fnettrace-sni/main.c
@@ -152,7 +152,7 @@ static void print_date(void) {
         struct tm *t = localtime(&now);
 
         if (day != t->tm_yday) {
-                printf("\nSNI trace for %s", ctime(&now));
+                printf("SNI trace for %s", ctime(&now));
                 day = t->tm_yday;
         }
 
diff --git a/src/fnettrace/fnettrace.h b/src/fnettrace/fnettrace.h
index b1a2f5b6c..b4a8f26c7 100644
--- a/src/fnettrace/fnettrace.h
+++ b/src/fnettrace/fnettrace.h
@@ -75,4 +75,7 @@ void terminal_handler(int s);
 void terminal_set(void);
 void terminal_restore(void);
 
+// runprog.c
+int runprog(const char *program);
+
 #endif
diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c
index 932afff61..3bafd9090 100644
--- a/src/fnettrace/main.c
+++ b/src/fnettrace/main.c
@@ -25,15 +25,63 @@
 #include <signal.h>
 #define MAX_BUF_SIZE (64 * 1024)
 
-static int arg_netfilter = 0;
-static int arg_tail = 0;
 static char *arg_log = NULL;
 
+//*****************************************************************
+// packet stats
+//*****************************************************************
 uint32_t stats_pkts = 0;
-uint32_t stats_icmp = 0;
+uint32_t stats_icmp_echo = 0;
 uint32_t stats_dns = 0;
+uint32_t stats_dns_dot = 0;
+uint32_t stats_dns_doh = 0;
+uint32_t stats_dns_doq = 0;
+uint32_t stats_tls = 0;
+uint32_t stats_quic = 0;
+uint32_t stats_tor = 0;
+uint32_t stats_http = 0;
+uint32_t stats_ssh = 0;
+
+//*****************************************************************
+// sni/dns log storage
+//*****************************************************************
+typedef struct lognode_t {
+#define LOG_RECORD_LEN 255
+        char record[LOG_RECORD_LEN + 1];
+} LogNode;
+// circular list of SNI log records
+#define SNIMAX 64
+LogNode sni_table[SNIMAX] = {0};
+int sni_index = 0;
+
+// circular list of SNI log records
+#define DNSMAX 64
+LogNode dns_table[SNIMAX] = {0};
+int dns_index = 0;
+
+static void print_sni(void) {
+        int i;
+        for (i = sni_index; i < SNIMAX; i++)
+                if (*sni_table[i].record)
+                        printf("   %s", sni_table[i].record);
+        for (i = 0; i < sni_index; i++)
+                if (*sni_table[i].record)
+                        printf("   %s", sni_table[i].record);
+}
 
+static void print_dns(void) {
+        int i;
+        for (i = dns_index; i < DNSMAX; i++)
+                if (*dns_table[i].record)
+                        printf("   %s", dns_table[i].record);
+        for (i = 0; i < dns_index; i++)
+                if (*dns_table[i].record)
+                        printf("   %s", dns_table[i].record);
+}
 
+//*****************************************************************
+// traffic trace storage - hash table for fast access + linked list for display purposes
+//*****************************************************************
 typedef struct hnode_t {
         struct hnode_t *hnext;  // used for hash table and unused linked list
         struct hnode_t *dnext;  // used to display streams on the screen
@@ -42,6 +90,7 @@ typedef struct hnode_t {
 
         // stats
         uint32_t  bytes;        // number of bytes received in the last display interval
+        uint32_t pkts;  // number of packets received in the last display interval
         uint16_t port_src;
         uint8_t protocol;
 
@@ -97,6 +146,7 @@ static void hnode_add(uint32_t ip_src, uint8_t protocol, uint16_t port_src, uint
                         ip_instance++;
                         if (ptr->port_src == port_src && ptr->protocol == protocol) {
                                 ptr->bytes += bytes;
+                                ptr->pkts++;
                                 assert(ptr->rnode);
                                 ptr->rnode->pkts++;
                                 return;
@@ -115,6 +165,7 @@ static void hnode_add(uint32_t ip_src, uint8_t protocol, uint16_t port_src, uint
         hnew->protocol = protocol;
         hnew->hnext = NULL;
         hnew->bytes = bytes;
+        hnew->pkts = 1;
         hnew->ip_instance = ip_instance + 1;
         hnew->ttl = DISPLAY_TTL;
         if (htable[h] == NULL)
@@ -139,9 +190,6 @@ static void hnode_add(uint32_t ip_src, uint8_t protocol, uint16_t port_src, uint
         if (!hnew->rnode)
                 hnew->rnode = radix_add(hnew->ip_src, 0xffffffff, NULL);
         hnew->rnode->pkts++;
-
-        if (arg_netfilter)
-                logprintf(" %d.%d.%d.%d ", PRINT_IP(hnew->ip_src));
 }
 
 static void hnode_free(HNode *elem) {
@@ -242,23 +290,23 @@ typedef struct port_type_t {
         char *service;
 } PortType;
 static PortType ports[] = {
-        {20, "(FTP)"},
-        {21, "(FTP)"},
-        {22, "(SSH)"},
-        {23, "(telnet)"},
-        {25, "(SMTP)"},
-        {43, "(WHOIS)"},
-        {67, "(DHCP)"},
-        {68, "(DHCP)"},
-        {69, "(TFTP)"},
-        {80, "(HTTP)"},
-        {109, "(POP2)"},
-        {110, "(POP3)"},
-        {113, "(IRC)"},
-        {123, "(NTP)"},
-        {161, "(SNMP)"},
-        {162, "(SNMP)"},
-        {194, "(IRC)"},
+        {20, "FTP"},
+        {21, "FTP"},
+        {22, "SSH"},
+        {23, "telnet"},
+        {25, "SMTP"},
+        {43, "WHOIS"},
+        {67, "DHCP"},
+        {68, "DHCP"},
+        {69, "TFTP"},
+        {80, "HTTP"},
+        {109, "POP2"},
+        {110, "POP3"},
+        {113, "IRC"},
+        {123, "NTP"},
+        {161, "SNMP"},
+        {162, "SNMP"},
+        {194, "IRC"},
         {0, NULL},
 };
 
@@ -266,32 +314,32 @@ static PortType ports[] = {
 static inline const char *common_port(uint16_t port) {
         if (port >= 6660 && port <= 10162) {
                 if (port >= 6660 && port <= 6669)
-                        return "(IRC)";
+                        return "IRC";
                 else if (port == 6679)
-                        return "(IRC)";
+                        return "IRC";
                 else if (port == 6771)
-                        return "(BitTorrent)";
+                        return "BitTorrent";
                 else if (port >= 6881 && port <= 6999)
-                        return "(BitTorrent)";
+                        return "BitTorrent";
                 else if (port == 9001)
-                        return "(Tor)";
+                        return "Tor";
                 else if (port == 9030)
-                        return "(Tor)";
+                        return "Tor";
                 else if (port == 9050)
-                        return "(Tor)";
+                        return "Tor";
                 else if (port == 9051)
-                        return "(Tor)";
+                        return "Tor";
                 else if (port == 9150)
-                        return "(Tor)";
+                        return "Tor";
                 else if (port == 10161)
-                        return "(secure SNMP)";
+                        return "secure SNMP";
                 else if (port == 10162)
-                        return "(secure SNMP)";
+                        return "secure SNMP";
                 return NULL;
         }
 
         if (port <= 194) {
-                PortType *ptr =&ports[0];
+                PortType *ptr = &ports[0];
                 while(ptr->service != NULL) {
                         if (ptr->port == port)
                                 return ptr->service;
@@ -305,7 +353,6 @@ static inline const char *common_port(uint16_t port) {
 
 
 static void hnode_print(unsigned bw) {
-        assert(!arg_netfilter);
         bw = (bw < 1024 * DISPLAY_INTERVAL) ? 1024 * DISPLAY_INTERVAL : bw;
 #ifdef DEBUG
         printf("*********************\n");
@@ -336,7 +383,7 @@ static void hnode_print(unsigned bw) {
         else
                 sprintf(stats, "%u KB/s ", bw / (1024 * DISPLAY_INTERVAL));
 //      int len = snprintf(line, LINE_MAX, "%32s geoip %d, IP database %d\n", stats, geoip_calls, radix_nodes);
-        int len = snprintf(line, LINE_MAX, "%32s address:port (protocol) network (packets)\n", stats);
+        int len = snprintf(line, LINE_MAX, "%32s address:port (protocol) network\n", stats);
         adjust_line(line, len, cols);
         printf("%s", line);
 
@@ -369,47 +416,67 @@ static void hnode_print(unsigned bw) {
                                 bwline = print_bw(ptr->bytes / bwunit);
 
                         const char *protocol = NULL;
-                        if (ptr->port_src == 443 && ptr->protocol == 0x06) // TCP
-                                protocol = "(TLS)";
-                        else if (ptr->port_src == 443 && ptr->protocol == 0x11) // UDP
-                                protocol = "(QUIC)";
-                        else if (ptr->port_src == 53)
-                                protocol = "(DNS)";
+                        if (ptr->port_src == 443 && ptr->protocol == 0x06) { // TCP
+                                protocol = "TLS";
+                                stats_tls += ptr->pkts;
+                                if (strstr(ptr->rnode->name, "DNS")) {
+                                        protocol = "DoH";
+                                        stats_dns_doh += ptr->pkts;
+                                }
+
+                        }
+                        else if (ptr->port_src == 443 && ptr->protocol == 0x11) { // UDP
+                                protocol = "QUIC";
+                                stats_quic +=  ptr->pkts;
+                                if (strstr(ptr->rnode->name, "DNS")) {
+                                        protocol = "DoQ";
+                                        stats_dns_doq += ptr->pkts;
+                                }
+                        }
+                        else if (ptr->port_src == 53) {
+                                protocol = "DNS";
+                                stats_dns += ptr->pkts;
+                        }
                         else if (ptr->port_src == 853) {
-                                if (ptr->protocol == 0x06)
-                                        protocol = "(DoT)";
-                                else if (ptr->protocol == 0x11)
-                                        protocol = "(DoQ)";
+                                if (ptr->protocol == 0x06) {
+                                        protocol = "DoT";
+                                        stats_dns_dot += ptr->pkts;
+                                }
+                                else if (ptr->protocol == 0x11) {
+                                        protocol = "DoQ";
+                                        stats_dns_doq += ptr->pkts;
+                                }
                                 else
                                         protocol = NULL;
                         }
-                        else if ((protocol = common_port(ptr->port_src)) != NULL)
-                                ;
+                        else if ((protocol = common_port(ptr->port_src)) != NULL) {
+                                if (strcmp(protocol, "HTTP") == 0)
+                                        stats_http += ptr->pkts;
+                                else if (strcmp(protocol, "Tor") == 0)
+                                        stats_tor += ptr->pkts;
+                                else if (strcmp(protocol, "SSH") == 0)
+                                        stats_ssh += ptr->pkts;
+                        }
                         else if (ptr->protocol == 0x11)
-                                protocol = "(UDP)";
+                                protocol = "UDP";
                         else if (ptr->protocol == 0x06)
-                                protocol = "(TCP)";
+                                protocol = "TCP";
 
                         if (protocol == NULL)
                                 protocol = "";
                         if (ptr->port_src == 0)
                                 len = snprintf(line, LINE_MAX, "%10s %s %d.%d.%d.%d (ICMP) %s\n",
                                                bytes, bwline, PRINT_IP(ptr->ip_src), ptr->rnode->name);
-                        else if (ptr->rnode->pkts > 1000000)
-                                len = snprintf(line, LINE_MAX, "%10s %s %d.%d.%d.%d:%u%s %s (%.01fM)\n",
-                                               bytes, bwline, PRINT_IP(ptr->ip_src), ptr->port_src, protocol, ptr->rnode->name, ((double) ptr->rnode->pkts) / 1000000);
-                        else if (ptr->rnode->pkts > 1000)
-                                len = snprintf(line, LINE_MAX, "%10s %s %d.%d.%d.%d:%u%s %s (%.01fK)\n",
-                                               bytes, bwline, PRINT_IP(ptr->ip_src), ptr->port_src, protocol, ptr->rnode->name, ((double) ptr->rnode->pkts) / 1000);
                         else
-                                len = snprintf(line, LINE_MAX, "%10s %s %d.%d.%d.%d:%u%s %s (%u)\n",
-                                               bytes, bwline, PRINT_IP(ptr->ip_src), ptr->port_src, protocol, ptr->rnode->name, ptr->rnode->pkts);
+                                len = snprintf(line, LINE_MAX, "%10s %s %d.%d.%d.%d:%u (%s) %s\n",
+                                               bytes, bwline, PRINT_IP(ptr->ip_src), ptr->port_src, protocol, ptr->rnode->name);
                         adjust_line(line, len, cols);
                         printf("%s", line);
 
                         if (ptr->bytes)
                                 ptr->ttl = DISPLAY_TTL;
                         ptr->bytes = 0;
+                        ptr->pkts = 0;
                         prev = ptr;
                 }
                 else {
@@ -440,17 +507,10 @@ static void hnode_print(unsigned bw) {
 
 
 void print_stats(void) {
-        printf("\nIP table: %d entries, %d unknown\n", radix_nodes, geoip_calls);
-        printf("   address network (packets)\n");
-        radix_print(1);
-        printf("Packets: %u total, ICMP %u, DNS %u\n", stats_pkts, stats_icmp, stats_dns);
 }
 
 // trace rx traffic coming in
 static void run_trace(void) {
-        if (arg_netfilter)
-                logprintf("accumulating traffic for %d seconds\n", NETLOCK_INTERVAL);
-
         // trace only rx ipv4 tcp and upd
         int s1 = socket(AF_INET, SOCK_RAW, IPPROTO_TCP);
         int s2 = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
@@ -458,37 +518,45 @@ static void run_trace(void) {
         if (s1 < 0 || s2 < 0 || s3 < 0)
                 errExit("socket");
 
-        unsigned start = time(NULL);
+
+        int p1 = runprog(LIBDIR "/firejail/fnettrace-sni");
+        if (p1 != -1)
+                printf("loading snitrace...");
+
+        int p2 = runprog(LIBDIR "/firejail/fnettrace-dns --nolocal");
+        if (p2 != -1)
+                printf("loading dnstrace...");
         unsigned last_print_traces = 0;
-        unsigned last_print_remaining = 0;
         unsigned char buf[MAX_BUF_SIZE];
         unsigned bw = 0; // bandwidth calculations
 
         while (1) {
                 unsigned end = time(NULL);
-                if (arg_netfilter && end - start >= NETLOCK_INTERVAL)
-                        break;
                 if (end % DISPLAY_INTERVAL == 1 && last_print_traces != end) { // first print after 1 second
-                        if (!arg_netfilter)
-                                hnode_print(bw);
+                        hnode_print(bw);
                         last_print_traces = end;
                         bw = 0;
                 }
-                if (arg_netfilter && last_print_remaining != end) {
-                        logprintf(".");
-                        fflush(0);
-                        last_print_remaining = end;
-                }
 
                 fd_set rfds;
                 FD_ZERO(&rfds);
+                FD_SET(0, &rfds);
+
                 FD_SET(s1, &rfds);
                 FD_SET(s2, &rfds);
                 FD_SET(s3, &rfds);
-                if (!arg_netfilter)
-                        FD_SET(0, &rfds);
                 int maxfd = (s1 > s2) ? s1 : s2;
                 maxfd = (s3 > maxfd) ? s3 : maxfd;
+
+                if (p1 != -1) {
+                        FD_SET(p1, &rfds);
+                        maxfd = (p1 > maxfd) ? p1 : maxfd;
+                }
+
+                if (p2 != -1) {
+                        FD_SET(p2, &rfds);
+                        maxfd = (p2 > maxfd) ? p2 : maxfd;
+                }
                 maxfd++;
 
                 struct timeval tv;
@@ -508,10 +576,78 @@ static void run_trace(void) {
 
                 if (FD_ISSET(0, &rfds)) {
                         getchar();
-                        print_stats();
+                        printf("\n\nStats: %u packets\n", stats_pkts);
+                        printf("   encrypted: TLS %u, QUIC %u, SSH %u, Tor %u\n",
+                                stats_tls, stats_quic, stats_ssh, stats_tor);
+                        printf("   unencrypted: HTTP %u\n", stats_http);
+                        printf("   C&C backchannel: PING %u, DNS %u, DoH %u, DoT %u, DoQ %u\n",
+                                stats_icmp_echo, stats_dns, stats_dns_doh, stats_dns_dot, stats_dns_doq);
+                        printf("press any key to continue...");
+                        fflush(0);
+
+                        getchar();
+                        printf("\n\nSNI log - time server-address SNI\n");
+                        print_sni();
                         printf("press any key to continue...");
                         fflush(0);
+
+                        getchar();
+                        printf("\n\nDNS log - time server-address domain\n");
+                        print_dns();
+                        printf("press any key to continue...");
+                        fflush(0);
+
                         getchar();
+                        printf("\n\nIP table: %d addresses - server-address network (packets)\n", radix_nodes);
+                        radix_print(1);
+                        printf("press any key to continue...");
+                        fflush(0);
+
+                        getchar();
+                        continue;
+                }
+                else if (FD_ISSET(p1, &rfds)) {
+                        char buf[1024];
+                        ssize_t sz = read(p1, buf, 1024 - 1);
+                        if (sz == -1)
+                                errExit("error reading snitrace");
+                        if (sz == 0) {
+                                fprintf(stderr, "Error: snitrace EOF!!!\n");
+                                p1 = -1;
+                        }
+                        if (strncmp(buf, "SNI trace", 9) == 0)
+                                continue;
+
+                        if (sz > LOG_RECORD_LEN)
+                                sz = LOG_RECORD_LEN;
+                        buf[sz] = '\0';
+                        strcpy(sni_table[sni_index].record, buf);
+                        if (++sni_index >= SNIMAX) {
+                                sni_index = 0;
+                                *sni_table[sni_index].record = '\0';
+                        }
+                        continue;
+                }
+                else if (FD_ISSET(p2, &rfds)) {
+                        char buf[1024];
+                        ssize_t sz = read(p2, buf, 1024 - 1);
+                        if (sz == -1)
+                                errExit("error reading dnstrace");
+                        if (sz == 0) {
+                                fprintf(stderr, "Error: dnstrace EOF!!!\n");
+                                p2 = -1;
+                        }
+                        if (strncmp(buf, "DNS trace", 9) == 0)
+                                continue;
+
+                        if (sz > LOG_RECORD_LEN)
+                                sz = LOG_RECORD_LEN;
+                        buf[sz] = '\0';
+                        strcpy(dns_table[dns_index].record, buf);
+                        if (++dns_index >= DNSMAX) {
+                                dns_index = 0;
+                                *dns_table[dns_index].record = '\0';
+                        }
                         continue;
                 }
                 else if (FD_ISSET(s2, &rfds))
@@ -557,10 +693,10 @@ static void run_trace(void) {
 
                                 // stats
                                 stats_pkts++;
-                                if (icmp)
-                                        stats_icmp++;
-                                if (port_src == 53)
-                                        stats_dns++;
+                                if (icmp)  {
+                                        if (*(buf + hlen) == 0 || *(buf + hlen) == 8)
+                                                stats_icmp_echo++;
+                                }
 
                         }
                 }
@@ -572,142 +708,6 @@ static void run_trace(void) {
         print_stats();
 }
 
-static char *filter_start =
-        "*filter\n"
-        ":INPUT DROP [0:0]\n"
-        ":FORWARD DROP [0:0]\n"
-        ":OUTPUT DROP [0:0]\n";
-
-// return 1 if error
-static int print_filter(FILE *fp) {
-        if (dlist == NULL)
-                return 1;
-        fprintf(fp, "%s\n", filter_start);
-        fprintf(fp, "-A INPUT -s 127.0.0.0/8 -j ACCEPT\n");
-        fprintf(fp, "-A OUTPUT -d 127.0.0.0/8 -j ACCEPT\n");
-        fprintf(fp, "\n");
-
-        int i;
-        for (i = 0; i < HMAX; i++) {
-                HNode *ptr = htable[i];
-                while (ptr) {
-                        // filter rules are targeting ip address, the port number is disregarded,
-                        // so we look only at the first instance of an address
-                        if (ptr->ip_instance == 1) {
-                                char *protocol = (ptr->protocol == 6) ? "tcp" : "udp";
-                                fprintf(fp, "-A INPUT -s %d.%d.%d.%d -p %s  -j ACCEPT\n",
-                                        PRINT_IP(ptr->ip_src),
-                                        protocol);
-                                fprintf(fp, "-A OUTPUT -d %d.%d.%d.%d -p %s  -j ACCEPT\n",
-                                        PRINT_IP(ptr->ip_src),
-                                        protocol);
-                                fprintf(fp, "\n");
-                        }
-                        ptr = ptr->hnext;
-                }
-        }
-        fprintf(fp, "COMMIT\n");
-
-        return 0;
-}
-
-static char *flush_rules[] = {
-        "-P INPUT ACCEPT",
-//      "-P FORWARD DENY",
-        "-P OUTPUT ACCEPT",
-        "-F",
-        "-X",
-//      "-t nat -F",
-//      "-t nat -X",
-//      "-t mangle -F",
-//      "-t mangle -X",
-//      "iptables -t raw -F",
-//      "-t raw -X",
-        NULL
-};
-
-static void deploy_netfilter(void) {
-        int rv;
-        char *cmd;
-        int i;
-
-        if (dlist == NULL) {
-                logprintf("Sorry, no network traffic was detected. The firewall was not configured.\n");
-                return;
-        }
-        // find iptables command
-        char *iptables = NULL;
-        char *iptables_restore = NULL;
-        if (access("/sbin/iptables", X_OK) == 0) {
-                iptables = "/sbin/iptables";
-                iptables_restore = "/sbin/iptables-restore";
-        }
-        else if (access("/usr/sbin/iptables", X_OK) == 0) {
-                iptables = "/usr/sbin/iptables";
-                iptables_restore = "/usr/sbin/iptables-restore";
-        }
-        if (iptables == NULL || iptables_restore == NULL) {
-                fprintf(stderr, "Error: iptables command not found, netfilter not configured\n");
-                exit(1);
-        }
-
-        // flush all netfilter rules
-        i = 0;
-        while (flush_rules[i]) {
-                char *cmd;
-                if (asprintf(&cmd, "%s %s", iptables, flush_rules[i]) == -1)
-                        errExit("asprintf");
-                int rv = system(cmd);
-                (void) rv;
-                free(cmd);
-                i++;
-        }
-
-        // create temporary file
-        char fname[] = "/tmp/firejail-XXXXXX";
-        int fd = mkstemp(fname);
-        if (fd == -1) {
-                fprintf(stderr, "Error: cannot create temporary configuration file\n");
-                exit(1);
-        }
-
-        FILE *fp = fdopen(fd, "w");
-        if (!fp) {
-                rv = unlink(fname);
-                (void) rv;
-                fprintf(stderr, "Error: cannot create temporary configuration file\n");
-                exit(1);
-        }
-        print_filter(fp);
-        fclose(fp);
-
-        logprintf("\n\n");
-        logprintf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
-        if (asprintf(&cmd, "cat %s >> %s", fname, arg_log) == -1)
-                errExit("asprintf");
-        rv = system(cmd);
-        (void) rv;
-        free(cmd);
-
-        if (asprintf(&cmd, "cat %s", fname) == -1)
-                errExit("asprintf");
-        rv = system(cmd);
-        (void) rv;
-        free(cmd);
-        logprintf("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
-
-        // configuring
-        if (asprintf(&cmd, "%s %s", iptables_restore, fname) == -1)
-                errExit("asprintf");
-        rv = system(cmd);
-        if (rv)
-                fprintf(stdout, "Warning: possible netfilter problem!");
-        free(cmd);
-
-        rv = unlink(fname);
-        (void) rv;
-        logprintf("\nfirewall deployed\n");
-}
 
 void logprintf(char *fmt, ...) {
         if (!arg_log)
@@ -733,14 +733,8 @@ static const char *const usage_str =
         "Options:\n"
         "   --help, -? - this help screen\n"
         "   --log=filename - netlocker logfile\n"
-        "   --netfilter - build the firewall rules and commit them\n"
         "   --print-map - print IP map\n"
-        "   --squash-map - compress IP map\n"
-        "   --tail - \"tail -f\" functionality\n"
-        "Examples:\n"
-        "   # fnettrace                              - traffic trace\n"
-        "   # fnettrace --netfilter --log=logfile    - netlocker, dump output in logfile\n"
-        "   # fnettrace --tail --log=logifile        - similar to \"tail -f logfile\"\n";
+        "   --squash-map - compress IP map\n";
 
 static void usage(void) {
         puts(usage_str);
@@ -775,7 +769,7 @@ int main(int argc, char **argv) {
                         return 0;
                 }
                 else if (strncmp(argv[i], "--squash-map=", 13) == 0) {
-                        if (i !=(argc - 1)) {
+                        if (i != (argc - 1)) {
                                 fprintf(stderr, "Error: please provide a map file\n");
                                 return 1;
                         }
@@ -798,10 +792,6 @@ int main(int argc, char **argv) {
                         fprintf(stderr, "static ip map: input %d, output %d\n", in, radix_nodes);
                         return 0;
                 }
-                else if (strcmp(argv[i], "--netfilter") == 0)
-                        arg_netfilter = 1;
-                else if (strcmp(argv[i], "--tail") == 0)
-                        arg_tail = 1;
                 else if (strncmp(argv[i], "--log=", 6) == 0)
                         arg_log = argv[i] + 6;
                 else {
@@ -810,19 +800,6 @@ int main(int argc, char **argv) {
                 }
         }
 
-        // tail
-        if (arg_tail) {
-                if (!arg_log) {
-                        fprintf(stderr, "Error: no log file\n");
-                        usage();
-                        exit(1);
-                }
-
-                tail(arg_log);
-                sleep(5);
-                exit(0);
-        }
-
         if (getuid() != 0) {
                 fprintf(stderr, "Error: you need to be root to run this program\n");
                 return 1;
@@ -838,25 +815,10 @@ int main(int argc, char **argv) {
         prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
 
         ansi_clrscr();
-        if (arg_netfilter)
-                logprintf("starting network lockdown\n");
-        else  {
-                char *fname = LIBDIR "/firejail/static-ip-map";
-                load_hostnames(fname);
-        }
+        char *fname = LIBDIR "/firejail/static-ip-map";
+        load_hostnames(fname);
 
         run_trace();
-        if (arg_netfilter) {
-                // TCP path MTU discovery will not work properly since the firewall drops all ICMP packets
-                // Instead, we use iPacketization Layer PMTUD (RFC 4821) support in Linux kernel
-                int rv = system("echo 1 > /proc/sys/net/ipv4/tcp_mtu_probing");
-                (void) rv;
-
-                deploy_netfilter();
-                sleep(3);
-                if (arg_log)
-                        unlink(arg_log);
-        }
 
         return 0;
 }
diff --git a/src/fnettrace/runprog.c b/src/fnettrace/runprog.c
new file mode 100644
index 000000000..e30d8a16c
--- /dev/null
+++ b/src/fnettrace/runprog.c
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2014-2023 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fnettrace.h"
+
+int runprog(const char *program) {
+        assert(program);
+        FILE *fp = popen(program, "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot run %s\n", program);
+                return -1;
+        }
+
+        return fileno(fp);
+}
diff --git a/src/fnettrace/static-ip-map.txt b/src/fnettrace/static-ip-map.txt
index 756658562..59ec79f8f 100644
--- a/src/fnettrace/static-ip-map.txt
+++ b/src/fnettrace/static-ip-map.txt
@@ -38,14 +38,19 @@
 #
 
 
-# local network addresses
-192.168.0.0/16 local network
-10.0.0.0/8 local network
-172.16.0.0/16 local network
-169.254.0.0/16 local link
+# local network addresses (based on https://en.wikipedia.org/wiki/Reserved_IP_addresses)
+10.0.0.0/8 Local network
+100.64.0.0/10 Carrier-grade NAT
+127.0.0.0/8 Local host
+169.254.0.0/16 Local link
+172.16.0.0/12 Local network
+192.0.2.0/24 Documentation
+192.168.0.0/16 Local network
+198.51.100.0/24 Documentation
+203.0.113.0/24 Documentation
 
 # multicast
-224.0.0.0/4 multicast
+224.0.0.0/4 Multicast
 224.0.0.9/32 RIPv2
 224.0.0.5/32 OSPF
 224.0.0.6/32 OSPF
@@ -86,15 +91,40 @@
 4.2.2.4/32 Level3 DNS
 8.8.4.0/24 Google DNS
 8.8.8.0/24 Google DNS
+8.20.247.20/32 Comodo DNS
+8.26.56.26/32 Comodo DNS
 9.9.9.0/24 Quad9 DNS
 45.90.28.0/22 NextDNS
+45.11.45.0/24 DNS-SB
+64.6.64.6/32 Neustar DNS
+64.6.65.6/32 Neustar DNS
+74.82.42.42/32 Hurricane Electric DNS
+76.76.2.0/24 ControlD DNS
+76.76.10.0/24 ControlD DNS
+76.76.19.0/24 Alternate DNS
+76.223.122.150/32 Alternate DNS
+77.88.8.8/32 Yandex DNS
+77.88.8.1/32 Yandex DNS
+80.80.80.0/24 Freenom DNS Cloud
+80.80.81.0/24 Freenom DNS Cloud
+84.200.69.80/32 DSN Watch
+84.200.70.40/32 DNS Watch
 94.140.14.0/23 Adguard DNS
 149.112.112.0/24 Quad9 DNS
 149.112.120.0/21 CIRA DNS Canada
-146.255.56.96/29 Applied Privacy
+146.255.56.96/29 Applied Privacy DNS
 176.103.128.0/19 Adguard DNS
+185.222.222.0/24 DNS-SB
 185.228.168.0/24 Cleanbrowsing DNS
+185.236.104.0/24 FlashStart DNS
+185.236.105.0/24 FlashStart DNS
+185.253.5.0/24 NextDNS
+193.110.81.0/24 NextDNS
+205.171.3.66/32 CentyrLink DNS
+205.171.202.166/32 CentyrLink DNS
 208.67.216.0/21 OpenDNS
+216.146.35.35/32 Dyn DNS
+216.146.36.36/32 Dyn DNS
 
 # whois
 192.0.32.0/20 ICANN
@@ -106,13 +136,15 @@
 199.212.0.0/24 whois.arin.net US
 200.3.12.0/22 whois.lacnic.net Uruguay
 201.159.220.0/22 whois.lacnic.net Ecuador
+203.119.100.0/22 apnic.net Australia
 
 # some popular websites
 5.255.255.0/24 Yandex
 23.160.0.0/24 Twitch
+23.229.128.0/17 GoDaddy
 23.246.0.0/18 Netflix
 31.13.24.0/21 Facebook
-31.13.64.0/18 Facebook
+31.13.64.0/17 Facebook
 37.77.184.0/21 Netflix
 45.57.0.0/17 Netflix
 45.58.64.0/20 Dropbox
@@ -132,9 +164,14 @@
 66.211.168.0/22 PayPal
 66.211.172.0/22 eBay
 66.211.176.0/20 eBay
+66.218.64.0/19 Yahoo
 66.220.144.0/20 Facebook
+69.30.200.200/29 BitChute
 69.53.224.0/19 Netflix
 69.171.224.0/19 Facebook
+69.197.182.184/29 BitChute
+74.6.0.0/16 Yahoo
+74.91.29.208/29 BitChute
 87.250.254.0/24 Yandex
 91.105.192.0/23 Telegram
 91.108.4.0/22 Telegram
@@ -147,14 +184,21 @@
 91.189.94.0/24 Ubuntu One
 95.161.64.0/20 Telegram
 99.181.64.0/18 Twitch
-103.53.48.0/23 Twitch
-104.244.40.0/21 Twitter
+69.197.138.24/29 BitChute
 103.10.124.0/23 Steam
 103.28.54.0/24 Steam
+103.53.48.0/23 Twitch
+104.244.40.0/21 Twitter
+107.150.32.0/19 BitChute
+107.150.35.192/29 BitChute
+107.150.45.120/29 BitChute
 108.160.160.0/20 Dropbox
 108.175.32.0/20 Netflix
 129.134.0.0/16 Facebook
 140.82.112.0/20 GitHub
+142.54.180.104/29 BitChute
+142.54.181.184/29 BitChute
+142.54.189.192/29 BitChute
 143.55.64.0/20 Github
 146.66.152.0/24 Steam
 146.66.155.0/24 Steam
@@ -174,6 +218,10 @@
 162.213.32.0/22 Ubuntu One
 162.254.192.0/21 Steam
 172.98.56.0/22 Rumble
+173.208.154.8/29 BitChute
+173.208.154.160/29 BitChute
+173.208.185.200/29 BitChute
+173.208.219.112/29 BitChute
 178.154.131.0/24 Yandex
 185.2.220.0/22 Netflix
 185.9.188.0/22 Netflix
@@ -194,23 +242,33 @@
 192.30.252.0/22 GitHub
 192.69.96.0/22 Steam
 192.108.239.0/24 Twitch
+192.151.158.136/29 BitChute
 192.173.64.0/18 Netflix
+192.187.97.88/29 BitChute
+192.187.114.96/29 BitChute
+192.187.123.112/29 BitChute
 192.189.200.0/23 Dropbox
 194.169.254.0/24 Ubuntu One
 198.38.96.0/19 Netflix
 198.45.48.0/20 Netflix
+198.204.226.120/29 BitChute
+198.204.245.88/29 BitChute
+198.252.206.0/24 Stack Exchange
 199.9.248.0/21 Twitch
 199.16.156.0/22 Twitter
 199.59.148.0/22 Twitter
 199.168.96.24/29 BitChute
+204.12.194.176/29 BitChute
 205.185.194.0/24 Steam
 205.196.6.0/24 Steam
 207.45.72.0/22 Netflix
 207.241.224.0/20 Internet Archive
+208.82.236.0/22 Creiglist
 208.64.200.0/22 Steam
 208.75.76.0/22 Netflix
 208.78.164.0/22 Steam
 208.80.152.0/22 Wikipedia
+208.110.68.56/29 BitChute
 209.140.128.0/18 eBay
 
 # Imperva
@@ -261,15 +319,6 @@
 205.224.0.0/14 Level 3
 209.244.0.0/14 Level 3
 
-# WholeSale Internet
-69.30.192.0/18 WholeSale Internet
-69.197.128.0/18 WholeSale Internet
-173.208.128.0/17 WholeSale Internet
-204.12.192.0/18 WholeSale Internet
-208.67.0.0/21 WholeSale Internet
-208.110.64.0/19 WholeSale Internet
-208.110.91.0/24 WholeSale Internet
-
 # StackPath
 69.16.173.0/24 StackPath
 69.16.174.0/23 StackPath
@@ -279,6 +328,7 @@
 205.185.196.0/23 StackPath
 205.185.198.0/24 StackPath
 205.185.200.0/21 StackPath
+205.185.208.0/24 StackPath
 205.185.212.0/23 StackPath
 205.185.215.0/24 StackPath
 205.185.216.0/23 StackPath
@@ -299,6 +349,8 @@
 205.185.220.0/24 StackPath
 
 # Linode
+45.79.0.0/16 Linode
+50.116.0.0/18 Linode
 66.175.208.0/20 Linode
 103.29.68.0/22 Linode
 104.200.16.0/21 Linode
@@ -397,6 +449,7 @@
 172.105.0.0/19 Linode
 172.105.112.0/20 Linode
 172.105.128.0/23 Linode
+173.255.192.0/18 Linode
 
 # Akamai
 2.16.0.0/13 Akamai
@@ -576,7 +629,7 @@
 103.21.244.0/22 Cloudflare
 103.22.200.0/22 Cloudflare
 103.31.4.0/22 Cloudflare
-104.16.0.0/13 Cloudflare
+104.16.0.0/12 Cloudflare
 104.24.0.0/14 Cloudflare
 108.162.192.0/18 Cloudflare
 131.0.72.0/22 Cloudflare
@@ -684,6 +737,7 @@
 3.136.0.0/13 Amazon
 3.144.0.0/13 Amazon
 3.152.0.0/13 Amazon
+3.160.0.0/14 Amazon
 3.208.0.0/12 Amazon
 3.224.0.0/12 Amazon
 3.240.0.0/13 Amazon