1 files changed, 37 insertions, 15 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e0eb723bc..bf27c07ad 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -858,10 +858,13 @@ be created and configured using "ip netns".
 .TP
 \fB\-\-netfilter
-Enable a default client network filter in the new network namespace.
+Enable a default firewall if a new network namespace is created inside the sandbox.
-New network namespaces are created using \-\-net option. If a new network namespaces is not created,
+This option has no effect for sandboxes using the system network namespace. 
-\-\-netfilter option does nothing.
+.br
-The default filter is as follows:
+.br
+The default firewall is optimized for regular desktop applications. No incoming
+connections are accepted:
 .br
 .br
@@ -904,19 +907,18 @@ Example:
 $ firejail \-\-net=eth0 \-\-netfilter firefox
 .TP
 \fB\-\-netfilter=filename
-Enable the network filter specified by filename in the new network namespace. The filter file format
+Enable the firewall specified by filename if a new network namespace is created inside the sandbox.
-is the format of iptables-save and iptable-restore commands.
+This option has no effect for sandboxes using the system network namespace.
-New network namespaces are created using \-\-net option. If a new network namespaces is not created,
-\-\-netfilter option does nothing.
 .br
 .br
-The following filters are available in /etc/firejail directory:
+Please use the regular iptables-save/iptables-restore format for the filter file. The following
+examples are available in /etc/firejail directory:
 .br
 .br
 .B webserver.net
-is a webserver filter that allows access only to TCP ports 80 and 443.
+is a webserver firewall that allows access only to TCP ports 80 and 443.
 Example:
 .br
@@ -928,7 +930,7 @@ $ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \\
 .br
 .B nolocal.net
-is a client filter that disable access to local network. Example:
+is a desktop client firewall that disable access to local network. Example:
 .br
 .br
@@ -936,11 +938,31 @@ $ firejail --netfilter=/etc/firejail/nolocal.net \\
 .br
 --net=eth0 firefox
 .TP
+\fB\-\-netfilter.print=name|pid
+Print the firewall installed in the sandbox specified by name or PID. Example:
+.br
+.br
+$ firejail --net=browser --net=eth0 --netfilter firefox &
+.br
+$ firejail --netfilter.print=browser
+.TP
 \fB\-\-netfilter6=filename
-Enable the IPv6 network filter specified by filename in the new network namespace. The filter file format
+Enable the IPv6 firewall specified by filename if a new network namespace is created inside the sandbox.
-is the format of ip6tables-save and ip6table-restore commands.
+This option has no effect for sandboxes using the system network namespace.
-New network namespaces are created using \-\-net option. If a new network namespaces is not created,
+Please use the regular iptables-save/iptables-restore format for the filter file. 
-\-\-netfilter6 option does nothing.
+.TP
+\fB\-\-netfilter6.print=name|pid
+Print the IPv6 firewall installed in the sandbox specified by name or PID. Example:
+.br
+.br
+$ firejail --net=browser --net=eth0 --netfilter firefox &
+.br
+$ firejail --netfilter6.print=browser
 .TP
 \fB\-\-netstats
 Monitor network namespace statistics, see \fBMONITORING\fR section for more details.

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e0eb723bc..bf27c07ad 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -858,10 +858,13 @@ be created and configured using "ip netns".
858		858
859	.TP	859	.TP
860	\fB\-\-netfilter	860	\fB\-\-netfilter
861	Enable a default client network filter in the new network namespace.	861	Enable a default firewall if a new network namespace is created inside the sandbox.
862	New network namespaces are created using \-\-net option. If a new network namespaces is not created,	862	This option has no effect for sandboxes using the system network namespace.
863	\-\-netfilter option does nothing.	863	.br
864	The default filter is as follows:	864
		865	.br
		866	The default firewall is optimized for regular desktop applications. No incoming
		867	connections are accepted:
865	.br	868	.br
866		869
867	.br	870	.br
@@ -904,19 +907,18 @@ Example:
904	$ firejail \-\-net=eth0 \-\-netfilter firefox	907	$ firejail \-\-net=eth0 \-\-netfilter firefox
905	.TP	908	.TP
906	\fB\-\-netfilter=filename	909	\fB\-\-netfilter=filename
907	Enable the network filter specified by filename in the new network namespace. The filter file format	910	Enable the firewall specified by filename if a new network namespace is created inside the sandbox.
908	is the format of iptables-save and iptable-restore commands.	911	This option has no effect for sandboxes using the system network namespace.
909	New network namespaces are created using \-\-net option. If a new network namespaces is not created,
910	\-\-netfilter option does nothing.
911	.br	912	.br
912		913
913	.br	914	.br
914	The following filters are available in /etc/firejail directory:	915	Please use the regular iptables-save/iptables-restore format for the filter file. The following
		916	examples are available in /etc/firejail directory:
915	.br	917	.br
916		918
917	.br	919	.br
918	.B webserver.net	920	.B webserver.net
919	is a webserver filter that allows access only to TCP ports 80 and 443.	921	is a webserver firewall that allows access only to TCP ports 80 and 443.
920	Example:	922	Example:
921	.br	923	.br
922		924
@@ -928,7 +930,7 @@ $ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \\
928		930
929	.br	931	.br
930	.B nolocal.net	932	.B nolocal.net
931	is a client filter that disable access to local network. Example:	933	is a desktop client firewall that disable access to local network. Example:
932	.br	934	.br
933		935
934	.br	936	.br
@@ -936,11 +938,31 @@ $ firejail --netfilter=/etc/firejail/nolocal.net \\
936	.br	938	.br
937	--net=eth0 firefox	939	--net=eth0 firefox
938	.TP	940	.TP
		941	\fB\-\-netfilter.print=name\|pid
		942	Print the firewall installed in the sandbox specified by name or PID. Example:
		943	.br
		944
		945	.br
		946	$ firejail --net=browser --net=eth0 --netfilter firefox &
		947	.br
		948	$ firejail --netfilter.print=browser
		949
		950	.TP
939	\fB\-\-netfilter6=filename	951	\fB\-\-netfilter6=filename
940	Enable the IPv6 network filter specified by filename in the new network namespace. The filter file format	952	Enable the IPv6 firewall specified by filename if a new network namespace is created inside the sandbox.
941	is the format of ip6tables-save and ip6table-restore commands.	953	This option has no effect for sandboxes using the system network namespace.
942	New network namespaces are created using \-\-net option. If a new network namespaces is not created,	954	Please use the regular iptables-save/iptables-restore format for the filter file.
943	\-\-netfilter6 option does nothing.	955
		956	.TP
		957	\fB\-\-netfilter6.print=name\|pid
		958	Print the IPv6 firewall installed in the sandbox specified by name or PID. Example:
		959	.br
		960
		961	.br
		962	$ firejail --net=browser --net=eth0 --netfilter firefox &
		963	.br
		964	$ firejail --netfilter6.print=browser
		965
944	.TP	966	.TP
945	\fB\-\-netstats	967	\fB\-\-netstats
946	Monitor network namespace statistics, see \fBMONITORING\fR section for more details.	968	Monitor network namespace statistics, see \fBMONITORING\fR section for more details.