1 files changed, 39 insertions, 7 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index a5704e995..9e3bce643 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1463,6 +1463,28 @@ $ firejail --name=browser --net=eth0 --netfilter firefox &
 $ firejail --netfilter6.print=browser
 .TP
+\fB\-\-netlock=name/pid
+Several type of programs (email clients, multiplayer games etc.) talk to a very small
+number of IP addresses. But the best example is tor browser. It only talks to a guard node,
+and there are two or three more on standby in case the main one fails.
+During startup, the browser contacts all of them, after that it keeps talking to the main
+one... for weeks!
+Use the network locking feature to build and deploy a network firewall in your sandbox.
+The firewall allows only the network traffic to the IP addresses detected during the program
+startup. Traffic to any other address is quietly dropped. By default the startup monitoring
+time is one minute. Example:
+.br
+.br
+$ firejail --net=eth0 --netlock \\
+.br
+--private=~/tor-browser_en-US ./start-tor-browser.desktop
+.br
+.br
+.TP
 \fB\-\-netmask=address
 Use this option when you want to assign an IP address in a new namespace and
 the parent interface specified by --net is not configured. An IP address and
@@ -1500,25 +1522,35 @@ PID  User    RX(KB/s) TX(KB/s) Command
 .br
 7383 netblue 9.045    0.112    firejail \-\-net=eth0 transmission
 .TP
-\fB\-\-nettrace=name|pid
+\fB\-\-nettrace[=name|pid]
 Monitor TCP and UDP traffic coming into the sandbox specified by name or pid. Only networked sandboxes
 created with \-\-net are supported.
 .br
 .br
-$ firejail --nettrace=browser
+Without a name/pid, Firejail will monitor the main system network namespace.
+.br
+.br
+ $ firejail --nettrace=browser
+.br
+.br
+                        95 KB/s  geoip 457, IP database 4436
+.br
+   52 KB/s ***********           64.222.84.207:443 United States
 .br
-   86 KB/s *********           64.222.84.207:443 United States
+   33 KB/s *******               89.147.74.105:63930 Hungary
 .br
-   76 KB/s ********            192.229.210.163:443 MCI
+    0 B/s                        45.90.28.0:443 NextDNS
 .br
-  111 B/s                      9.9.9.9:53 Quad9 DNS
+    0 B/s                        94.70.122.176:52309(UDP) Greece
 .br
-   32 KB/s ***                 142.250.179.182:443 Google
+  339 B/s                        104.26.7.35:443 Cloudflare
 .br
 .br
-If /usr/bin/geoiplookup is installed (geoip-bin packet in Debian),
+If /usr/bin/geoiplookup is installed (geoip-bin package in Debian),
 the country the IP address originates from is added to the trace.
 We also use the static IP map in /etc/firejail/hostnames
 to print the domain names for some of the more common websites and cloud platforms.

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index a5704e995..9e3bce643 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1463,6 +1463,28 @@ $ firejail --name=browser --net=eth0 --netfilter firefox &
1463	$ firejail --netfilter6.print=browser	1463	$ firejail --netfilter6.print=browser
1464		1464
1465	.TP	1465	.TP
		1466	\fB\-\-netlock=name/pid
		1467	Several type of programs (email clients, multiplayer games etc.) talk to a very small
		1468	number of IP addresses. But the best example is tor browser. It only talks to a guard node,
		1469	and there are two or three more on standby in case the main one fails.
		1470	During startup, the browser contacts all of them, after that it keeps talking to the main
		1471	one... for weeks!
		1472
		1473	Use the network locking feature to build and deploy a network firewall in your sandbox.
		1474	The firewall allows only the network traffic to the IP addresses detected during the program
		1475	startup. Traffic to any other address is quietly dropped. By default the startup monitoring
		1476	time is one minute. Example:
		1477	.br
		1478
		1479	.br
		1480	$ firejail --net=eth0 --netlock \\
		1481	.br
		1482	--private=~/tor-browser_en-US ./start-tor-browser.desktop
		1483	.br
		1484
		1485	.br
		1486
		1487	.TP
1466	\fB\-\-netmask=address	1488	\fB\-\-netmask=address
1467	Use this option when you want to assign an IP address in a new namespace and	1489	Use this option when you want to assign an IP address in a new namespace and
1468	the parent interface specified by --net is not configured. An IP address and	1490	the parent interface specified by --net is not configured. An IP address and
@@ -1500,25 +1522,35 @@ PID User RX(KB/s) TX(KB/s) Command
1500	.br	1522	.br
1501	7383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission	1523	7383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission
1502	.TP	1524	.TP
1503	\fB\-\-nettrace=name\|pid	1525	\fB\-\-nettrace[=name\|pid]
1504	Monitor TCP and UDP traffic coming into the sandbox specified by name or pid. Only networked sandboxes	1526	Monitor TCP and UDP traffic coming into the sandbox specified by name or pid. Only networked sandboxes
1505	created with \-\-net are supported.	1527	created with \-\-net are supported.
1506	.br	1528	.br
1507		1529
1508	.br	1530	.br
1509	$ firejail --nettrace=browser	1531	Without a name/pid, Firejail will monitor the main system network namespace.
		1532	.br
		1533
		1534	.br
		1535	$ firejail --nettrace=browser
		1536	.br
		1537
		1538	.br
		1539	95 KB/s geoip 457, IP database 4436
		1540	.br
		1541	52 KB/s *********** 64.222.84.207:443 United States
1510	.br	1542	.br
1511	86 KB/s ********* 64.222.84.207:443 United States	1543	33 KB/s ******* 89.147.74.105:63930 Hungary
1512	.br	1544	.br
1513	76 KB/s ******** 192.229.210.163:443 MCI	1545	0 B/s 45.90.28.0:443 NextDNS
1514	.br	1546	.br
1515	111 B/s 9.9.9.9:53 Quad9 DNS	1547	0 B/s 94.70.122.176:52309(UDP) Greece
1516	.br	1548	.br
1517	32 KB/s *** 142.250.179.182:443 Google	1549	339 B/s 104.26.7.35:443 Cloudflare
1518	.br	1550	.br
1519		1551
1520	.br	1552	.br
1521	If /usr/bin/geoiplookup is installed (geoip-bin packet in Debian),	1553	If /usr/bin/geoiplookup is installed (geoip-bin package in Debian),
1522	the country the IP address originates from is added to the trace.	1554	the country the IP address originates from is added to the trace.
1523	We also use the static IP map in /etc/firejail/hostnames	1555	We also use the static IP map in /etc/firejail/hostnames
1524	to print the domain names for some of the more common websites and cloud platforms.	1556	to print the domain names for some of the more common websites and cloud platforms.