1 files changed, 26 insertions, 0 deletions
diff --git a/README.md b/README.md
index fa8c1ecd5..64ac96f0c 100644
--- a/README.md
+++ b/README.md
@@ -38,3 +38,29 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
 Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie).
+## STUN/WebRTC disabled in default netfilter configuration
+The  current netfilter configuration looks like this:
+`````
+             *filter
+              :INPUT DROP [0:0]
+              :FORWARD DROP [0:0]
+              :OUTPUT ACCEPT [0:0]
+              -A INPUT -i lo -j ACCEPT
+              -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+              # allow ping
+              -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+              -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+              -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+              # drop STUN (WebRTC) requests
+              -A OUTPUT -p udp --dport 3478 -j DROP
+              -A OUTPUT -p udp --dport 3479 -j DROP
+              -A OUTPUT -p tcp --dport 3478 -j DROP
+              -A OUTPUT -p tcp --dport 3479 -j DROP
+              COMMIT
+`````
+The filter is loaded by default for Firefox if a network namespace is configured:
+`````
+$ firejail --net=eth0 firefox
+`````
+\ No newline at end of file

diff --git a/README.md b/README.md index fa8c1ecd5..64ac96f0c 100644 --- a/README.md +++ b/README.md
@@ -38,3 +38,29 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
38		38
39	Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie).	39	Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie).
40		40
		41	## STUN/WebRTC disabled in default netfilter configuration
		42
		43	The current netfilter configuration looks like this:
		44	`````
		45	*filter
		46	:INPUT DROP [0:0]
		47	:FORWARD DROP [0:0]
		48	:OUTPUT ACCEPT [0:0]
		49	-A INPUT -i lo -j ACCEPT
		50	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
		51	# allow ping
		52	-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
		53	-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
		54	-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
		55	# drop STUN (WebRTC) requests
		56	-A OUTPUT -p udp --dport 3478 -j DROP
		57	-A OUTPUT -p udp --dport 3479 -j DROP
		58	-A OUTPUT -p tcp --dport 3478 -j DROP
		59	-A OUTPUT -p tcp --dport 3479 -j DROP
		60	COMMIT
		61	`````
		62
		63	The filter is loaded by default for Firefox if a network namespace is configured:
		64	`````
		65	$ firejail --net=eth0 firefox
		66	````` \ No newline at end of file