1 files changed, 32 insertions, 78 deletions

diff --git a/README.md b/README.md
index 812ad4008..5f3ffbd8a 100644
--- a/README.md
+++ b/README.md
@@ -31,97 +31,51 @@ Features: https://firejail.wordpress.com/features-3/
 Documentation: https://firejail.wordpress.com/documentation-2/
 
 FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
-
-# Current development version: 0.9.37
-
-## Symlink invocation
-
-This is a small thing, but very convenient. Make a symbolic link (ln -s) to /usr/bin/firejail under
-the name of the program you want to run, and put the link in the first $PATH position (for
-example in /usr/local/bin). Example:
 `````
-$ which -a transmission-gtk 
-/usr/bin/transmission-gtk
-
-$ sudo ln -s /usr/bin/firejail /usr/local/bin/transmission-gtk
 
-$ which -a transmission-gtk 
-/usr/local/bin/transmission-gtk
-/usr/bin/transmission-gtk
 `````
-We have in this moment two entries in $PATH for transmission. The first one is a symlink to firejail.
-The second one is the real program. Starting transmission in this moment, invokes "firejail transmission-gtk"
+# Current development version: 0.9.39
 `````
-$ transmission-gtk
-Redirecting symlink to /usr/bin/transmission-gtk
-Reading profile /etc/firejail/transmission-gtk.profile
-Reading profile /etc/firejail/disable-mgmt.inc
-Reading profile /etc/firejail/disable-secret.inc
-Reading profile /etc/firejail/disable-common.inc
-Reading profile /etc/firejail/disable-devel.inc
-Parent pid 19343, child pid 19344
-Blacklist violations are logged to syslog
-Child process initialized
-`````
-
 
-## IPv6 support:
 `````
-      --ip6=address
-              Assign IPv6 addresses to the last network interface defined by a
-              --net option.
-
-              Example:
-              $ firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64 firefox
 
-       --netfilter6=filename
-              Enable the IPv6 network filter specified by filename in the  new
-              network  namespace.  The  filter  file  format  is the format of
-              ip6tables-save  and  ip6table-restore  commands.   New   network
-              namespaces  are  created  using  --net  option. If a new network
-              namespaces is not created, --netfilter6 option does nothing.
+## Default seccomp filter update
 
-`````
+Currently 50 syscalls are blacklisted by default, out of a total of 318 calls (AMD64, Debian Jessie).
 
-## join command enhancements
+## STUN/WebRTC disabled in default netfilter configuration
 
+The  current netfilter configuration (--netfilter option) looks like this:
 `````
-       --join-filesystem=name
-              Join the mount namespace of the sandbox identified by  name.  By
-              default  a /bin/bash shell is started after joining the sandbox.
-              If a program is specified, the program is run  in  the  sandbox.
-              This  command is available only to root user.  Security filters,
-              cgroups and cpus configurations are not applied to  the  process
-              joining the sandbox.
-
-       --join-filesystem=pid
-              Join  the  mount  namespace of the sandbox identified by process
-              ID. By default a /bin/bash shell is started  after  joining  the
-              sandbox.   If  a program is specified, the program is run in the
-              sandbox. This command is available only to root user.   Security
-              filters,  cgroups and cpus configurations are not applied to the
-              process joining the sandbox.
-
-      --join-network=name
-              Join the network namespace of the sandbox identified by name. By
-              default  a /bin/bash shell is started after joining the sandbox.
-              If a program is specified, the program is run  in  the  sandbox.
-              This  command is available only to root user.  Security filters,
-              cgroups and cpus configurations are not applied to  the  process
-              joining the sandbox.
-
-       --join-network=pid
-              Join  the network namespace of the sandbox identified by process
-              ID. By default a /bin/bash shell is started  after  joining  the
-              sandbox.   If  a program is specified, the program is run in the
-              sandbox. This command is available only to root user.   Security
-              filters,  cgroups and cpus configurations are not applied to the
-              process joining the sandbox.
-
+             *filter
+              :INPUT DROP [0:0]
+              :FORWARD DROP [0:0]
+              :OUTPUT ACCEPT [0:0]
+              -A INPUT -i lo -j ACCEPT
+              -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+              # allow ping
+              -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+              -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+              -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+              # drop STUN (WebRTC) requests
+              -A OUTPUT -p udp --dport 3478 -j DROP
+              -A OUTPUT -p udp --dport 3479 -j DROP
+              -A OUTPUT -p tcp --dport 3478 -j DROP
+              -A OUTPUT -p tcp --dport 3479 -j DROP
+              COMMIT
 `````
 
+The filter is loaded by default for Firefox if a network namespace is configured:
+`````
+$ firejail --net=eth0 firefox
+`````
 
-## New profiles: KMail
-
+## Set sandbox nice value
+`````
+      --nice=value
+              Set nice value for all processes running inside the sandbox.
 
+              Example:
+              $ firejail --nice=-5 firefox
+`````