73 files changed, 101 insertions, 9 deletions
diff --git a/README.md b/README.md
index 8440d00a6..b08be89c9 100644
--- a/README.md
+++ b/README.md
@@ -197,9 +197,9 @@ The following features can be enabled or disabled:
       restricted-network
              Enable  or disable restricted network support, default disabled.
              If enabled, networking features should also be enabled  (network
-              yes).   Restricted  networking  grants access to --interface and
+              yes).  Restricted networking  grants access to --interface,
-              --net=ethXXX only to root user. Regular users are  only  allowed
+              --net=ethXXX and --netfilter only to root user.  Regular users
-              --net=none.
+                          are only allowed --net=none.  Default disabled
       secomp Enable or disable seccomp support, default enabled.
diff --git a/etc/0ad.profile b/etc/0ad.profile
index f8a3ce23d..e6540fb5d 100644
--- a/etc/0ad.profile
+++ b/etc/0ad.profile
@@ -12,6 +12,7 @@ protocol unix,inet,inet6,netlink
 netfilter
 tracelog
 noroot
+nonewprivs
 # Whitelists
 noblacklist ~/.cache/0ad
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile
index 05131df43..75dbebcf0 100644
--- a/etc/Mathematica.profile
+++ b/etc/Mathematica.profile
@@ -16,4 +16,5 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 seccomp
+nonewprivs
 noroot
diff --git a/etc/abrowser.profile b/etc/abrowser.profile
index 949635258..6a06ce76b 100644
--- a/etc/abrowser.profile
+++ b/etc/abrowser.profile
@@ -11,6 +11,7 @@ seccomp
 protocol unix,inet,inet6,netlink
 netfilter
 tracelog
+nonewprivs
 noroot
 whitelist ${DOWNLOADS}
diff --git a/etc/atril.profile b/etc/atril.profile
index 91a97e826..b55f99cdd 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -9,6 +9,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
+nonewprivs
 noroot
 tracelog
 netfilter
diff --git a/etc/audacious.profile b/etc/audacious.profile
index 290faa260..0a1598dee 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -7,4 +7,5 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
+nonewprivs
 noroot
diff --git a/etc/aweather.profile b/etc/aweather.profile
index d7f510a7e..dd508e736 100644
--- a/etc/aweather.profile
+++ b/etc/aweather.profile
@@ -12,6 +12,7 @@ include /etc/firejail/disable-programs.inc
 # Call these options
 caps.drop all
 netfilter
+nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index fb84c260a..b7ccd132e 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -9,3 +9,4 @@ private
 private-dev
 seccomp
 netfilter
+nonewprivs
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index 1f69f61c6..b3a34fc9a 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -19,6 +19,7 @@ seccomp
 protocol unix,inet,inet6,netlink
 netfilter
 tracelog
+nonewprivs
 noroot
 include /etc/firejail/whitelist-common.inc
 nosound
diff --git a/etc/clementine.profile b/etc/clementine.profile
index c6271e6e3..fb9dca2a9 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -7,4 +7,5 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
+nonewprivs
 noroot
diff --git a/etc/cmus.profile b/etc/cmus.profile
index 72b43a70f..16b9c112d 100644
--- a/etc/cmus.profile
+++ b/etc/cmus.profile
@@ -10,6 +10,7 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 private-bin cmus
diff --git a/etc/conkeror.profile b/etc/conkeror.profile
index 007eef663..0a7966e4b 100644
--- a/etc/conkeror.profile
+++ b/etc/conkeror.profile
@@ -7,6 +7,7 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 whitelist ~/.conkeror.mozdev.org
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
index cef9ad464..c5fb25e9a 100644
--- a/etc/cyberfox.profile
+++ b/etc/cyberfox.profile
@@ -11,6 +11,7 @@ seccomp
 protocol unix,inet,inet6,netlink
 netfilter
 tracelog
+nonewprivs
 noroot
 whitelist ${DOWNLOADS}
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile
index 2810e5323..9225ca16e 100644
--- a/etc/deadbeef.profile
+++ b/etc/deadbeef.profile
@@ -9,4 +9,5 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
+nonewprivs
 noroot
diff --git a/etc/default.profile b/etc/default.profile
index f2c7d4114..d836a9f5d 100644
--- a/etc/default.profile
+++ b/etc/default.profile
@@ -11,5 +11,6 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
diff --git a/etc/deluge.profile b/etc/deluge.profile
index 4043f58f5..f7a2b98e4 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -9,5 +9,6 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 nosound
diff --git a/etc/dillo.profile b/etc/dillo.profile
index 49c33fb7a..392000ade 100644
--- a/etc/dillo.profile
+++ b/etc/dillo.profile
@@ -11,6 +11,7 @@ seccomp
 protocol unix,inet,inet6
 netfilter
 tracelog
+nonewprivs
 noroot
 whitelist ${DOWNLOADS}
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index 474bc5aca..4459c40dd 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -11,3 +11,4 @@ protocol unix,inet,inet6,netlink
 netfilter
 private
 private-dev
+nonewprivs
diff --git a/etc/dropbox.profile b/etc/dropbox.profile
index a0a944dce..568ab230a 100644
--- a/etc/dropbox.profile
+++ b/etc/dropbox.profile
@@ -6,4 +6,5 @@ include /etc/firejail/disable-passwdmgr.inc
 caps
 seccomp
 protocol unix,inet,inet6
+nonewprivs
 noroot
diff --git a/etc/empathy.profile b/etc/empathy.profile
index 789bdda08..c08398e84 100644
--- a/etc/empathy.profile
+++ b/etc/empathy.profile
@@ -7,3 +7,4 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+nonewprivs
diff --git a/etc/epiphany.profile b/etc/epiphany.profile
index 95a673bf9..7783a05fd 100644
--- a/etc/epiphany.profile
+++ b/etc/epiphany.profile
@@ -23,4 +23,4 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+nonewprivs
diff --git a/etc/evince.profile b/etc/evince.profile
index c390dcaf3..3c883d43c 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -7,5 +7,6 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
+nonewprivs
 noroot
 nosound
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index cfbae1c74..7764a48c9 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -10,5 +10,6 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 nosound
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index 8542de284..1ab08b568 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -9,6 +9,7 @@ include /etc/firejail/disable-devel.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
+nonewprivs
 noroot
 netfilter
 nosound
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 1ea94a2c7..6796ef7c4 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -11,6 +11,7 @@ seccomp
 protocol unix,inet,inet6,netlink
 netfilter
 tracelog
+nonewprivs
 noroot
 whitelist ${DOWNLOADS}
diff --git a/etc/firejail.config b/etc/firejail.config
index caaeb6792..55d2faa9f 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -17,8 +17,8 @@
 # Enable or disable restricted network support, default disabled. If enabled,
 # networking features should also be enabled (network yes).
-# Restricted networking grants access to --interface and --net=ethXXX
+# Restricted networking grants access to --interface, --net=ethXXX and
-# only to root user. Regular users are only allowed --net=none.
+# --netfilter only to root user. Regular users are only allowed --net=none.
 # restricted-network no
 # Enable or disable seccomp support, default enabled.
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile
index 94c672acf..77a95aa17 100644
--- a/etc/flashpeak-slimjet.profile
+++ b/etc/flashpeak-slimjet.profile
@@ -18,6 +18,7 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6,netlink
 netfilter
+nonewprivs
 noroot
 whitelist ${DOWNLOADS}
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
index ec3698ac8..010b19613 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/gnome-mplayer.profile
@@ -7,4 +7,5 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
+nonewprivs
 noroot
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile
index 7fe43f1f6..fe2f79901 100644
--- a/etc/google-play-music-desktop-player.profile
+++ b/etc/google-play-music-desktop-player.profile
@@ -9,6 +9,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6,netlink
+nonewprivs
 noroot
 netfilter
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
index f53cb1b4f..ba9fce37b 100644
--- a/etc/gpredict.profile
+++ b/etc/gpredict.profile
@@ -12,6 +12,7 @@ include /etc/firejail/disable-programs.inc
 # Call these options
 caps.drop all
 netfilter
+nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index d61c57adc..87523d825 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 seccomp
 protocol unix
+nonewprivs
 noroot
 nogroups
 private-dev
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile
index 5ab7cfe72..c5d863bd5 100644
--- a/etc/hedgewars.profile
+++ b/etc/hedgewars.profile
@@ -7,6 +7,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+nonewprivs
 noroot
 private-dev
 seccomp
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index b77555e55..3eb350660 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -9,6 +9,7 @@ include /etc/firejail/disable-devel.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
+nonewprivs
 noroot
 netfilter
diff --git a/etc/kmail.profile b/etc/kmail.profile
index a7079661b..a47945bc6 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -10,5 +10,6 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6,netlink
 netfilter
+nonewprivs
 noroot
 tracelog
diff --git a/etc/mcabber.profile b/etc/mcabber.profile
index 1d753d7c3..1536194b2 100644
--- a/etc/mcabber.profile
+++ b/etc/mcabber.profile
@@ -11,6 +11,7 @@ caps.drop all
 seccomp
 protocol inet,inet6
 netfilter
+nonewprivs
 noroot
 private-bin mcabber
diff --git a/etc/midori.profile b/etc/midori.profile
index 7fc27e07c..568687058 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -8,4 +8,5 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+nonewprivs
+noroot
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile
index 7b38b411a..c9a99bede 100644
--- a/etc/mupen64plus.profile
+++ b/etc/mupen64plus.profile
@@ -16,6 +16,7 @@ mkdir ${HOME}/.config
 mkdir ${HOME}/.config/mupen64plus
 whitelist ${HOME}/.config/mupen64plus/
+nonewprivs
 noroot
 caps.drop all
 seccomp
diff --git a/etc/netsurf.profile b/etc/netsurf.profile
index 26b621126..e01cace7f 100644
--- a/etc/netsurf.profile
+++ b/etc/netsurf.profile
@@ -11,6 +11,7 @@ seccomp
 protocol unix,inet,inet6,netlink
 netfilter
 tracelog
+nonewprivs
 noroot
 whitelist ${DOWNLOADS}
diff --git a/etc/okular.profile b/etc/okular.profile
index 7929a8796..5179da787 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -9,6 +9,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 seccomp
 protocol unix
+nonewprivs
 noroot
 nogroups
 private-dev
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index fc4ea453b..4db9b7adc 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -16,6 +16,7 @@ seccomp
 protocol unix,inet,inet6,netlink
 netfilter
 tracelog
+nonewprivs
 noroot
 whitelist ${DOWNLOADS}
diff --git a/etc/parole.profile b/etc/parole.profile
index 0c9a72143..c0be0453b 100644
--- a/etc/parole.profile
+++ b/etc/parole.profile
@@ -11,5 +11,6 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 shell none
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index fd497f082..767da5f55 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -8,4 +8,5 @@ include /etc/firejail/disable-devel.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
+nonewprivs
 noroot
diff --git a/etc/polari.profile b/etc/polari.profile
index 0bc46f3f7..7910f4e9b 100644
--- a/etc/polari.profile
+++ b/etc/polari.profile
@@ -24,6 +24,7 @@ include /etc/firejail/whitelist-common.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
+nonewprivs
 noroot
 netfilter
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index 8bdc745fb..858fdda4d 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -8,5 +8,6 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 nosound
diff --git a/etc/qtox.profile b/etc/qtox.profile
index 80acc3873..ca34e932a 100644
--- a/etc/qtox.profile
+++ b/etc/qtox.profile
@@ -12,4 +12,5 @@ include /etc/firejail/whitelist-common.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
+nonewprivs
 noroot
diff --git a/etc/quassel.profile b/etc/quassel.profile
index 72004da7f..e68315c1c 100644
--- a/etc/quassel.profile
+++ b/etc/quassel.profile
@@ -6,5 +6,6 @@ include /etc/firejail/disable-devel.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
+nonewprivs
 noroot
 netfilter
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index 411d37dbd..5ad7ead1a 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -20,6 +20,7 @@ seccomp
 protocol unix,inet,inet6
 netfilter
 tracelog
+nonewprivs
 noroot
 nogroups
 shell none
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
index 934a374de..09d10b0bb 100644
--- a/etc/qutebrowser.profile
+++ b/etc/qutebrowser.profile
@@ -11,6 +11,7 @@ seccomp
 protocol unix,inet,inet6,netlink
 netfilter
 tracelog
+nonewprivs
 noroot
 whitelist ${DOWNLOADS}
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index 782cd3832..ee0832863 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -7,5 +7,6 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
+nonewprivs
 noroot
 netfilter
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
index ae0430830..9ae2206c1 100644
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@@ -8,5 +8,6 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 nosound
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index a10d5b0ec..886af0f67 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -10,6 +10,7 @@ seccomp
 protocol unix,inet,inet6,netlink
 netfilter
 tracelog
+nonewprivs
 noroot
 whitelist ${DOWNLOADS}
diff --git a/etc/skype.profile b/etc/skype.profile
index 26feac1a4..4c4a34980 100644
--- a/etc/skype.profile
+++ b/etc/skype.profile
@@ -6,6 +6,7 @@ include /etc/firejail/disable-devel.inc
 caps.drop all
 netfilter
+nonewprivs
 noroot
 seccomp
 protocol unix,inet,inet6
diff --git a/etc/spotify.profile b/etc/spotify.profile
index fd4586dd5..1ee379dea 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -26,5 +26,6 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6,netlink
 netfilter
+nonewprivs
 noroot
diff --git a/etc/ssh.profile b/etc/ssh.profile
index 7b282bde6..0c4621f66 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -9,4 +9,5 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
diff --git a/etc/steam.profile b/etc/steam.profile
index 4c96e8258..ae5e93829 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -8,6 +8,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
+nonewprivs
 noroot
 seccomp
 protocol unix,inet,inet6
diff --git a/etc/stellarium.profile b/etc/stellarium.profile
index 7cb74eeaa..148ec949d 100644
--- a/etc/stellarium.profile
+++ b/etc/stellarium.profile
@@ -13,6 +13,7 @@ include /etc/firejail/disable-programs.inc
 # Call these options
 caps.drop all
 netfilter
+nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
diff --git a/etc/telegram.profile b/etc/telegram.profile
index df6b6a270..62a0fa404 100644
--- a/etc/telegram.profile
+++ b/etc/telegram.profile
@@ -7,6 +7,7 @@ include /etc/firejail/disable-devel.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
+nonewprivs
 noroot
 netfilter
diff --git a/etc/totem.profile b/etc/totem.profile
index d23167b03..f2bce5dee 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -10,5 +10,6 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
+nonewprivs
 noroot
 netfilter
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index d61d36a8c..e27873f88 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -11,6 +11,7 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 tracelog
 nosound
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index 3db7a5452..2caa923d8 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -11,6 +11,7 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 tracelog
 nosound
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile
index ef5aa7d4a..86e7be6fd 100644
--- a/etc/uget-gtk.profile
+++ b/etc/uget-gtk.profile
@@ -9,6 +9,7 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 whitelist ${DOWNLOADS}
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index 449d9a168..2049d2bd9 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -6,6 +6,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 netfilter
+nonewprivs
 whitelist ${DOWNLOADS}
 mkdir ~/.config
diff --git a/etc/vlc.profile b/etc/vlc.profile
index 061ae6f78..d26034748 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -9,5 +9,6 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
+nonewprivs
 noroot
 netfilter
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
index 7588da657..ceeaca012 100644
--- a/etc/warzone2100.profile
+++ b/etc/warzone2100.profile
@@ -9,6 +9,7 @@ include /etc/firejail/disable-programs.inc
 # Call these options
 caps.drop all
 netfilter
+nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
diff --git a/etc/weechat.profile b/etc/weechat.profile
index 280a5f9d8..11b5bd10f 100644
--- a/etc/weechat.profile
+++ b/etc/weechat.profile
@@ -7,5 +7,6 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 netfilter
+nonewprivs
 noroot
 netfilter
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile
index 340ba0db5..61a87d994 100644
--- a/etc/wesnoth.profile
+++ b/etc/wesnoth.profile
@@ -11,6 +11,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
+nonewprivs
 noroot
 private-dev
diff --git a/etc/wine.profile b/etc/wine.profile
index ea6db8511..18e5346af 100644
--- a/etc/wine.profile
+++ b/etc/wine.profile
@@ -9,5 +9,6 @@ include /etc/firejail/disable-devel.inc
 caps.drop all
 netfilter
+nonewprivs
 noroot
 seccomp
diff --git a/etc/xchat.profile b/etc/xchat.profile
index fcea4245e..f4b273693 100644
--- a/etc/xchat.profile
+++ b/etc/xchat.profile
@@ -8,4 +8,5 @@ include /etc/firejail/disable-devel.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
+nonewprivs
 noroot
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index 67a46a7da..fb0e3c910 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -10,6 +10,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
+nonewprivs
 noroot
 tracelog
 netfilter
diff --git a/etc/xreader.profile b/etc/xreader.profile
index a3871a7d3..267330c1f 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -11,6 +11,7 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 seccomp
 protocol unix,inet,inet6
+nonewprivs
 noroot
 tracelog
 netfilter
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index 33e1e3c68..a0c91f0f3 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -9,5 +9,6 @@ caps.drop all
 seccomp
 protocol unix,inet,inet6
 noroot
+nonewprivs
 tracelog
 netfilter
diff --git a/src/firejail/main.c b/src/firejail/main.c
index cda9e788e..955bd36bf 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1684,6 +1684,18 @@ int main(int argc, char **argv) {
 #ifdef HAVE_NETWORK
                else if (strcmp(argv[i], "--netfilter") == 0) {
+#ifdef HAVE_NETWORK_RESTRICTED
+                        // compile time restricted networking
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
+#endif
+                        // run time restricted networking
+                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
                        if (checkcfg(CFG_NETWORK)) {
                                arg_netfilter = 1;
                        }
@@ -1694,6 +1706,18 @@ int main(int argc, char **argv) {
                }
                else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
+#ifdef HAVE_NETWORK_RESTRICTED
+                        // compile time restricted networking
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
+#endif
+                        // run time restricted networking
+                        if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
+                                fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+                                exit(1);
+                        }
                        if (checkcfg(CFG_NETWORK)) {
                                arg_netfilter = 1;
                                arg_netfilter_file = argv[i] + 12;
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt
index dcede2ec6..026765f1a 100644
--- a/src/man/firejail-config.txt
+++ b/src/man/firejail-config.txt
@@ -33,8 +33,8 @@ Enable or disable networking features, default enabled.
 \fBrestricted-network
 Enable or disable restricted network support, default disabled. If enabled,
 networking features should also be enabled (network yes).
-Restricted networking grants access to --interface and --net=ethXXX
+Restricted networking grants access to --interface, --net=ethXXX and
-only to root user. Regular users are only allowed --net=none.
+\-\-netfilter only to root user. Regular users are only allowed --net=none.
 .TP
 \fBsecomp