19 files changed, 367 insertions, 137 deletions

diff --git a/.gitignore b/.gitignore
index 0882eeecf..52a2718ee 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,6 +22,7 @@ src/ftee/ftee
 src/tags
 src/faudit/faudit
 src/fnet/fnet
+src/fnetfilter/fnetfilter
 src/fseccomp/fseccomp
 src/fcopy/fcopy
 src/fldd/fldd
diff --git a/Makefile.in b/Makefile.in
index 88ed1f476..54b924288 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,6 +1,6 @@
 all: apps man filters
 MYLIBS = src/lib
-APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp
+APPS = src/firejail src/firemon src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp
 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx
 
@@ -97,6 +97,7 @@ endif
         install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
+        install -c -m 0755 src/fnetfilter/fnetfilter $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0755 src/fldd/fldd $(DESTDIR)/$(libdir)/firejail/.
         install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/.
@@ -167,6 +168,7 @@ install-strip: all
         strip src/ftee/ftee
         strip src/faudit/faudit
         strip src/fnet/fnet
+        strip src/fnet/fnetfilter
         strip src/fseccomp/fseccomp
         strip src/fcopy/fcopy
         strip src/fldd/fldd
diff --git a/README.md b/README.md
index 839afef67..924b2ddb3 100644
--- a/README.md
+++ b/README.md
@@ -210,6 +210,20 @@ $
       --debug-private-lib
               Debug messages for --private-lib option.
 
+       --netfilter.print=name|pid
+              Print  the  firewall installed in the sandbox specified by name
+              or PID. Example:
+
+              $ firejail --net=browser --net=eth0 --netfilter firefox &
+              $ firejail --netfilter.print=browser
+
+       --netfilter6.print=name|pid
+              Print the IPv6 firewall installed in the sandbox  specified  by
+              name or PID. Example:
+
+              $ firejail --net=browser --net=eth0 --netfilter firefox &
+              $ firejail --netfilter6.print=browser
+
 `````
 
 ## New profiles:
diff --git a/RELNOTES b/RELNOTES
index 785cfadc3..db156546c 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -25,6 +25,8 @@ firejail (0.9.51) baseline; urgency=low
   * feature: --rlimit-cpu
   * feature: --timeout
   * feature: profile build tool (--build)
+  * feature: --netfilter.print
+  * feature: --netfilter6.print
   * new profiles: upstreamed many profiles from the following sources:
      https://github.com/chiraag-nataraj/firejail-profiles,
      https://github.com/nyancat18/fe,
diff --git a/configure b/configure
index f64aa2dac..cd46ad8fd 100755
--- a/configure
+++ b/configure
@@ -3823,7 +3823,7 @@ if test "$prefix" = /usr; then
         sysconfdir="/etc"
 fi
 
-ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile"
+ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -4537,6 +4537,7 @@ do
     "src/fcopy/Makefile") CONFIG_FILES="$CONFIG_FILES src/fcopy/Makefile" ;;
     "src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;;
     "src/firejail/Makefile") CONFIG_FILES="$CONFIG_FILES src/firejail/Makefile" ;;
+    "src/fnetfilter/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnetfilter/Makefile" ;;
     "src/firemon/Makefile") CONFIG_FILES="$CONFIG_FILES src/firemon/Makefile" ;;
     "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;;
     "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;;
diff --git a/configure.ac b/configure.ac
index 900c8b959..9254a3ee2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -175,7 +175,7 @@ if test "$prefix" = /usr; then
         sysconfdir="/etc"
 fi
 
-AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \
+AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
 src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile \
 src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile)
 
diff --git a/etc/nolocal.net b/etc/nolocal.net
index 9fa785450..8955f740d 100644
--- a/etc/nolocal.net
+++ b/etc/nolocal.net
@@ -12,15 +12,25 @@
 #
 ###################################################################
 
-
+#allow all loopback traffic
 -A INPUT -i lo -j ACCEPT
+
+# no incoming connections
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# allow ping etc.
 -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
 -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
 -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
 
+# accept dns requests going out to a server on the local network
 -A OUTPUT -p udp --dport 53 -j ACCEPT
+
+# drop all local network traffic
 -A OUTPUT -d 192.168.0.0/16 -j DROP
 -A OUTPUT -d 10.0.0.0/8 -j DROP
 -A OUTPUT -d 172.16.0.0/12 -j DROP
+
+# drop multicast traffic
+-A OUTPUT -d 244.0.0.0/4 -j DROP
 COMMIT
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 59bd4b959..f7bebe1b6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -516,7 +516,6 @@ void create_empty_dir_as_root(const char *dir, mode_t mode);
 void create_empty_file_as_root(const char *dir, mode_t mode);
 int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode);
 void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid);
-char *read_text_file_or_exit(const char *fname);
 unsigned extract_timeout(const char *str);
 
 // fs_var.c
@@ -607,6 +606,7 @@ void check_output(int argc, char **argv);
 void check_netfilter_file(const char *fname);
 void netfilter(const char *fname);
 void netfilter6(const char *fname);
+void netfilter_print(pid_t pid, int ipv6);
 
 // netns.c
 void check_netns(const char *nsname);
@@ -766,6 +766,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
 // sbox.c
 // programs
 #define PATH_FNET (LIBDIR "/firejail/fnet")
+#define PATH_FNETFILTER (LIBDIR "/firejail/fnetfilter")
 #define PATH_FIREMON (PREFIX "/bin/firemon")
 #define PATH_FIREJAIL (PREFIX "/bin/firejail")
 #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp")
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 23fdb8a6a..46ee22bf3 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -387,6 +387,7 @@ void fs_private_lib(void) {
         fslib_copy_libs(LIBDIR "/firejail/fcopy");
         fslib_copy_libs(LIBDIR "/firejail/fldd");
         fslib_copy_libs(LIBDIR "/firejail/fnet");
+        fslib_copy_libs(LIBDIR "/firejail/fnetfilter");
         fslib_copy_libs(LIBDIR "/firejail/fseccomp");
         fslib_copy_libs(LIBDIR "/firejail/ftee");
         // mount lib filesystem
diff --git a/src/firejail/main.c b/src/firejail/main.c
index c8b347b5f..d6b0a230e 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -429,6 +429,18 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         exit_err_feature("networking");
                 exit(0);
         }
+        else if (strncmp(argv[i], "--netfilter.print=", 18) == 0) {
+                // extract pid or sandbox name
+                pid_t pid = read_pid(argv[i] + 18);
+                netfilter_print(pid, 0);
+                exit(0);
+        }
+        else if (strncmp(argv[i], "--netfilter6.print=", 19) == 0) {
+                // extract pid or sandbox name
+                pid_t pid = read_pid(argv[i] + 19);
+                netfilter_print(pid, 1);
+                exit(0);
+        }
 #endif
         //*************************************
         // independent commands - the program will exit!
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index cb0d9d7af..e1d0edd01 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -24,33 +24,24 @@
 #include <sys/wait.h>
 #include <fcntl.h>
 
-static char *client_filter =
-"*filter\n"
-":INPUT DROP [0:0]\n"
-":FORWARD DROP [0:0]\n"
-":OUTPUT ACCEPT [0:0]\n"
-"-A INPUT -i lo -j ACCEPT\n"
-"-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
-"# echo replay is handled by -m state RELATED/ESTABLISHED below\n"
-"#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n"
-"-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n"
-"-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n"
-"-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n"
-"# disable STUN\n"
-"-A OUTPUT -p udp --dport 3478 -j DROP\n"
-"-A OUTPUT -p udp --dport 3479 -j DROP\n"
-"-A OUTPUT -p tcp --dport 3478 -j DROP\n"
-"-A OUTPUT -p tcp --dport 3479 -j DROP\n"
-"COMMIT\n";
 
 void check_netfilter_file(const char *fname) {
         EUID_ASSERT();
-        invalid_filename(fname, 0); // no globbing
 
-        if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) {
-                fprintf(stderr, "Error: invalid network filter file %s\n", fname);
+        char *tmp = strdup(fname);
+        if (!tmp)
+                errExit("strdup");
+        char *ptr = strchr(tmp, ',');
+        if (ptr)
+                *ptr = '\0';
+
+        invalid_filename(tmp, 0); // no globbing
+
+        if (is_dir(tmp) || is_link(tmp) || strstr(tmp, "..") || access(tmp, R_OK )) {
+                fprintf(stderr, "Error: invalid network filter file %s\n", tmp);
                 exit(1);
         }
+        free(tmp);
 }
 
 
@@ -72,41 +63,28 @@ void netfilter(const char *fname) {
                 return;
         }
 
-        // read filter
-        char *filter = client_filter;
-        int allocated = 0;
-        if (netfilter_default)
-                fname = netfilter_default;
-        if (fname) {
-                filter = read_text_file_or_exit(fname);
-                allocated = 1;
-        }
-
-        // create the filter file
-        FILE *fp = fopen(SBOX_STDIN_FILE, "w");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE);
-                exit(1);
-        }
-        fprintf(fp, "%s\n", filter);
-        fclose(fp);
+        if (arg_debug)
+                printf("Installing firewall\n");
 
+        // create an empty user-owned SBOX_STDIN_FILE
+        create_empty_file_as_root(SBOX_STDIN_FILE, 0644);
+        if (set_perms(SBOX_STDIN_FILE, getuid(), getgid(), 0644))
+                errExit("set_perms");
 
-        // push filter
-        if (arg_debug)
-                printf("Installing network filter:\n%s\n", filter);
+        if (fname == NULL)
+                sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FNETFILTER, SBOX_STDIN_FILE);
+        else
+                sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FNETFILTER, fname, SBOX_STDIN_FILE);
 
         // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter
         // we run this command with caps and seccomp disabled in order to allow the loading of these modules
-        sbox_run(SBOX_ROOT /* | SBOX_CAPS_NETWORK | SBOX_SECCOMP*/ | SBOX_STDIN_FROM_FILE, 1, iptables_restore);
+        sbox_run(SBOX_ROOT | SBOX_STDIN_FROM_FILE, 1, iptables_restore);
         unlink(SBOX_STDIN_FILE);
 
         // debug
         if (arg_debug)
                 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL");
 
-        if (allocated)
-                free(filter);
         return;
 }
 
@@ -131,29 +109,91 @@ void netfilter6(const char *fname) {
                 return;
         }
 
-        // create the filter file
-        char *filter = read_text_file_or_exit(fname);
-        FILE *fp = fopen(SBOX_STDIN_FILE, "w");
-        if (!fp) {
-                fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE);
-                exit(1);
-        }
-        fprintf(fp, "%s\n", filter);
-        fclose(fp);
-
-        // push filter
         if (arg_debug)
-                printf("Installing network filter:\n%s\n", filter);
+                printf("Installing IPv6 firewall\n");
+
+        // create an empty user-owned SBOX_STDIN_FILE
+        create_empty_file_as_root(SBOX_STDIN_FILE, 0644);
+        if (set_perms(SBOX_STDIN_FILE, getuid(), getgid(), 0644))
+                errExit("set_perms");
+
+        sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FNETFILTER, fname, SBOX_STDIN_FILE);
 
         // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter
         // we run this command with caps and seccomp disabled in order to allow the loading of these modules
-        sbox_run(SBOX_ROOT | /* SBOX_CAPS_NETWORK | SBOX_SECCOMP | */ SBOX_STDIN_FROM_FILE, 1, ip6tables_restore);
+        sbox_run(SBOX_ROOT | SBOX_STDIN_FROM_FILE, 1, ip6tables_restore);
         unlink(SBOX_STDIN_FILE);
 
         // debug
         if (arg_debug)
                 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, ip6tables, "-vL");
 
-        free(filter);
         return;
 }
+
+void netfilter_print(pid_t pid, int ipv6) {
+        EUID_ASSERT();
+
+        // verify sandbox
+        EUID_ROOT();
+        char *comm = pid_proc_comm(pid);
+        EUID_USER();
+        if (!comm) {
+                fprintf(stderr, "Error: cannot find sandbox\n");
+                exit(1);
+        }
+
+        // check for firejail sandbox
+        if (strcmp(comm, "firejail") != 0) {
+                fprintf(stderr, "Error: cannot find sandbox\n");
+                exit(1);
+        }
+        free(comm);
+
+        // check network namespace
+        char *name;
+        if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1)
+                errExit("asprintf");
+        struct stat s;
+        if (stat(name, &s) == -1) {
+                fprintf(stderr, "Error: the sandbox doesn't use a new network namespace\n");
+                exit(1);
+        }
+
+        // join the network namespace
+        pid_t child;
+        if (find_child(pid, &child) == -1) {
+                fprintf(stderr, "Error: cannot join the network namespace\n");
+                exit(1);
+        }
+
+        EUID_ROOT();
+        if (join_namespace(child, "net")) {
+                fprintf(stderr, "Error: cannot join the network namespace\n");
+                exit(1);
+        }
+
+        // find iptables executable
+        char *iptables = NULL;
+        char *iptables_restore = NULL;
+        if (ipv6) {
+                if (stat("/sbin/ip6tables", &s) == 0)
+                        iptables = "/sbin/ip6tables";
+                else if (stat("/usr/sbin/ip6tables", &s) == 0)
+                        iptables = "/usr/sbin/ip6tables";
+        }
+        else {
+                if (stat("/sbin/iptables", &s) == 0)
+                        iptables = "/sbin/iptables";
+                else if (stat("/usr/sbin/iptables", &s) == 0)
+                        iptables = "/usr/sbin/iptables";
+        }
+
+        if (iptables == NULL) {
+                fprintf(stderr, "Error: iptables command not found\n");
+                exit(1);
+        }
+
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL");
+}
+
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 1d6cc2353..274a4353f 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -104,13 +104,6 @@ static struct sock_fprog prog = {
         .filter = filter,
 };
 
-typedef struct sbox_config {
-        char *name;
-        char *path;
-        unsigned filters;
-} SboxConfig;
-
-
 int sbox_run(unsigned filter, int num, ...) {
         EUID_ROOT();
 
@@ -142,7 +135,7 @@ int sbox_run(unsigned filter, int num, ...) {
                 if (filter & SBOX_STDIN_FROM_FILE) {
                         int fd;
                         if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) {
-                                fprintf(stderr,"Error: cannot open /tmp/netfilter\n");
+                                fprintf(stderr,"Error: cannot open %s\n", SBOX_STDIN_FILE);
                                 exit(1);
                         }
                         dup2(fd,STDIN_FILENO);
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 38de99471..f1581e847 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -122,8 +122,10 @@ void usage(void) {
         printf("    --net=ethernet_interface - enable network namespaces and connect to this\n");
         printf("\tEthernet interface.\n");
         printf("    --net=none - enable a new, unconnected network namespace.\n");
-        printf("    --netfilter[=filename] - enable the default client network filter.\n");
-        printf("    --netfilter6=filename - enable the IPv6 network filter.\n");
+        printf("    --netfilter[=filename] - enable firewall.\n");
+        printf("    --netfilter.print=name|pid - print the firewall.\n");
+        printf("    --netfilter6=filename - enable IPv6 firewall.\n");
+        printf("    --netfilter6.print=name|pid - print the IPv6 firewall.\n");
         printf("    --netns=name - Run the program in a named, persistent network namespace.\n");
         printf("    --netstats - monitor network statistics.\n");
 #endif
diff --git a/src/firejail/util.c b/src/firejail/util.c
index cea2b76e3..fde180e49 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -908,49 +908,6 @@ void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) {
         ASSERT_PERMS(fname, uid, gid, mode);
 }
 
-char *read_text_file_or_exit(const char *fname) {
-        assert(fname);
-
-        // open file
-        int fd = open(fname, O_RDONLY);
-        if (fd == -1) {
-                fprintf(stderr, "Error: cannot read %s\n", fname);
-                exit(1);
-        }
-
-        int size = lseek(fd, 0, SEEK_END);
-        if (size == -1)
-                goto errexit;
-        if (lseek(fd, 0 , SEEK_SET) == -1)
-                goto errexit;
-
-        // allocate memory
-        char *data = malloc(size + 1);    // + '\0'
-        if (data == NULL)
-                goto errexit;
-        memset(data, 0, size + 1);
-
-        // read file
-        int rd = 0;
-        while (rd < size) {
-                int rv = read(fd, (unsigned char *) data + rd, size - rd);
-                if (rv == -1) {
-                        goto errexit;
-                }
-                rd += rv;
-        }
-
-        // close file
-        close(fd);
-        return data;
-
-errexit:
-        close(fd);
-        fprintf(stderr, "Error: cannot read %s\n", fname);
-        exit(1);
-}
-
-
 unsigned extract_timeout(const char *str) {
         unsigned s;
         unsigned m;
diff --git a/src/fnetfilter/Makefile.in b/src/fnetfilter/Makefile.in
new file mode 100644
index 000000000..1063737e1
--- /dev/null
+++ b/src/fnetfilter/Makefile.in
@@ -0,0 +1,45 @@
+all: fnetfilter
+
+CC=@CC@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+sysconfdir=@sysconfdir@
+
+VERSION=@PACKAGE_VERSION@
+NAME=@PACKAGE_NAME@
+HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
+HAVE_SECCOMP=@HAVE_SECCOMP@
+HAVE_CHROOT=@HAVE_CHROOT@
+HAVE_BIND=@HAVE_BIND@
+HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_NETWORK=@HAVE_NETWORK@
+HAVE_USERNS=@HAVE_USERNS@
+HAVE_X11=@HAVE_X11@
+HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+HAVE_WHITELIST=@HAVE_WHITELIST@
+HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
+HAVE_APPARMOR=@HAVE_APPARMOR@
+HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
+HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
+
+H_FILE_LIST       = $(sort $(wildcard *.[h]))
+C_FILE_LIST       = $(sort $(wildcard *.c))
+OBJS = $(C_FILE_LIST:.c=.o)
+BINOBJS =  $(foreach file, $(OBJS), $file)
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
+
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
+        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
+
+fnetfilter: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+
+clean:; rm -f *.o fnetfilter *.gcov *.gcda *.gcno
+
+distclean: clean
+        rm -fr Makefile
diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c
new file mode 100644
index 000000000..67ab31832
--- /dev/null
+++ b/src/fnetfilter/main.c
@@ -0,0 +1,115 @@
+ /*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "../include/common.h"
+
+#define MAXBUF 4098
+int arg_quiet = 0;
+
+static char *default_filter =
+"*filter\n"
+":INPUT DROP [0:0]\n"
+":FORWARD DROP [0:0]\n"
+":OUTPUT ACCEPT [0:0]\n"
+"-A INPUT -i lo -j ACCEPT\n"
+"-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
+"# echo replay is handled by -m state RELATED/ESTABLISHED below\n"
+"#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n"
+"-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n"
+"-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n"
+"-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n"
+"# disable STUN\n"
+"-A OUTPUT -p udp --dport 3478 -j DROP\n"
+"-A OUTPUT -p udp --dport 3479 -j DROP\n"
+"-A OUTPUT -p tcp --dport 3478 -j DROP\n"
+"-A OUTPUT -p tcp --dport 3479 -j DROP\n"
+"COMMIT\n";
+
+static void usage(void) {
+        printf("Usage:\n");
+        printf("\tfnetfilter netfilter-command destination-file\n");
+}
+
+int main(int argc, char **argv) {
+#if 0
+{
+system("cat /proc/self/status");
+int i;
+for (i = 0; i < argc; i++)
+        printf("*%s* ", argv[i]);
+printf("\n");
+}
+#endif
+
+        char *quiet = getenv("FIREJAIL_QUIET");
+        if (quiet && strcmp(quiet, "yes") == 0)
+                arg_quiet = 1;
+
+        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
+                usage();
+                return 0;
+        }
+
+        if (argc != 2 && argc != 3) {
+                usage();
+                return 1;
+        }
+
+        char *destfile = (argc == 3)? argv[2]: argv[1];
+        char *command = (argc == 3)? argv[1]: NULL;     
+//printf("command %s\n", command);
+//printf("destfile %s\n", destfile);
+
+        // handle default config (command = NULL, destfile)
+        if (command == NULL) {
+                // create a default filter file
+                FILE *fp = fopen(destfile, "w");
+                if (!fp) {
+                        fprintf(stderr, "Error fnetfilter: cannot open %s\n", destfile);
+                        exit(1);
+                }
+                fprintf(fp, "%s\n", default_filter);
+                fclose(fp);
+        }
+        else {
+                // copy the file
+                FILE *fp1 = fopen(command, "r");
+                if (!fp1) {
+                        fprintf(stderr, "Error fnetfilter: cannot open %s\n", command);
+                        exit(1);
+                }
+
+                FILE *fp2 = fopen(destfile, "w");
+                if (!fp2) {
+                        fprintf(stderr, "Error fnetfilter: cannot open %s\n", destfile);
+                        exit(1);
+                }
+                
+                char buf[MAXBUF];
+                while (fgets(buf, MAXBUF, fp1))
+                        fprintf(fp2, "%s", buf);
+
+                fclose(fp1);
+                fclose(fp2);
+        }
+        
+
+printf("fnetfilter running\n");
+        return 0;
+}
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e0eb723bc..bf27c07ad 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -858,10 +858,13 @@ be created and configured using "ip netns".
 
 .TP
 \fB\-\-netfilter
-Enable a default client network filter in the new network namespace.
-New network namespaces are created using \-\-net option. If a new network namespaces is not created,
-\-\-netfilter option does nothing.
-The default filter is as follows:
+Enable a default firewall if a new network namespace is created inside the sandbox.
+This option has no effect for sandboxes using the system network namespace. 
+.br
+
+.br
+The default firewall is optimized for regular desktop applications. No incoming
+connections are accepted:
 .br
 
 .br
@@ -904,19 +907,18 @@ Example:
 $ firejail \-\-net=eth0 \-\-netfilter firefox
 .TP
 \fB\-\-netfilter=filename
-Enable the network filter specified by filename in the new network namespace. The filter file format
-is the format of iptables-save and iptable-restore commands.
-New network namespaces are created using \-\-net option. If a new network namespaces is not created,
-\-\-netfilter option does nothing.
+Enable the firewall specified by filename if a new network namespace is created inside the sandbox.
+This option has no effect for sandboxes using the system network namespace.
 .br
 
 .br
-The following filters are available in /etc/firejail directory:
+Please use the regular iptables-save/iptables-restore format for the filter file. The following
+examples are available in /etc/firejail directory:
 .br
 
 .br
 .B webserver.net
-is a webserver filter that allows access only to TCP ports 80 and 443.
+is a webserver firewall that allows access only to TCP ports 80 and 443.
 Example:
 .br
 
@@ -928,7 +930,7 @@ $ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \\
 
 .br
 .B nolocal.net
-is a client filter that disable access to local network. Example:
+is a desktop client firewall that disable access to local network. Example:
 .br
 
 .br
@@ -936,11 +938,31 @@ $ firejail --netfilter=/etc/firejail/nolocal.net \\
 .br
 --net=eth0 firefox
 .TP
+\fB\-\-netfilter.print=name|pid
+Print the firewall installed in the sandbox specified by name or PID. Example:
+.br
+
+.br
+$ firejail --net=browser --net=eth0 --netfilter firefox &
+.br
+$ firejail --netfilter.print=browser
+
+.TP
 \fB\-\-netfilter6=filename
-Enable the IPv6 network filter specified by filename in the new network namespace. The filter file format
-is the format of ip6tables-save and ip6table-restore commands.
-New network namespaces are created using \-\-net option. If a new network namespaces is not created,
-\-\-netfilter6 option does nothing.
+Enable the IPv6 firewall specified by filename if a new network namespace is created inside the sandbox.
+This option has no effect for sandboxes using the system network namespace.
+Please use the regular iptables-save/iptables-restore format for the filter file. 
+
+.TP
+\fB\-\-netfilter6.print=name|pid
+Print the IPv6 firewall installed in the sandbox specified by name or PID. Example:
+.br
+
+.br
+$ firejail --net=browser --net=eth0 --netfilter firefox &
+.br
+$ firejail --netfilter6.print=browser
+
 .TP
 \fB\-\-netstats
 Monitor network namespace statistics, see \fBMONITORING\fR section for more details.
diff --git a/test/network/ip6.exp b/test/network/ip6.exp
index 26780e167..c55f690db 100755
--- a/test/network/ip6.exp
+++ b/test/network/ip6.exp
@@ -10,7 +10,7 @@ match_max 100000
 send -- "firejail --debug --noprofile --net=br0 --ip6=2001:0db8:0:f101::1/64 --netfilter6=ipv6.net\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Installing network filter"
+        "Installing IPv6 firewall"
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
@@ -46,10 +46,12 @@ send -- "exit\r"
 sleep 2
 
 
+
+
 send -- "firejail --debug --profile=ip6.profile\r"
 expect {
         timeout {puts "TESTING ERROR 10\n";exit}
-        "Installing network filter"
+        "Installing IPv6 firewall"
 }
 expect {
         timeout {puts "TESTING ERROR 11\n";exit}
@@ -82,7 +84,17 @@ expect {
 }
 
 send -- "exit\r"
+sleep 2
 
+send -- "firejail --debug --netfilter6=ipv6.net\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "Installing IPv6 firewall" {puts "TESTING ERROR 12\n";exit}
+        "Child process initialized"
+}
 after 100
+send -- "exit\r"
 
+
+after 100
 puts "\nall done\n"
diff --git a/test/network/net_netfilter.exp b/test/network/net_netfilter.exp
index 52fd3bf11..8f371bafc 100755
--- a/test/network/net_netfilter.exp
+++ b/test/network/net_netfilter.exp
@@ -11,7 +11,7 @@ match_max 100000
 send -- "firejail --debug --noprofile --net=br0 --ip=10.10.20.5 --netfilter\r"
 expect {
         timeout {puts "TESTING ERROR 0\n";exit}
-        "Installing network filter"
+        "Installing firewall"
 }
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
@@ -51,7 +51,7 @@ sleep 1
 send -- "firejail --debug --noprofile --net=br0 --ip=10.10.20.5 --netfilter=netfilter.filter\r"
 expect {
         timeout {puts "TESTING ERROR 6\n";exit}
-        "Installing network filter"
+        "Installing firewall"
 }
 expect {
         timeout {puts "TESTING ERROR 6.1\n";exit}
@@ -71,7 +71,7 @@ sleep 1
 send -- "firejail --debug --net=br0 --ip=10.10.20.5 --profile=netfilter.profile\r"
 expect {
         timeout {puts "TESTING ERROR 7\n";exit}
-        "Installing network filter"
+        "Installing firewall"
 }
 expect {
         timeout {puts "TESTING ERROR 7.1\n";exit}