diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 54 | ||||
-rw-r--r-- | src/firejail/netfilter.c | 8 | ||||
-rw-r--r-- | src/firejail/usage.c | 4 | ||||
-rw-r--r-- | src/fnettrace-dns/main.c | 22 | ||||
-rw-r--r-- | src/fnettrace-sni/main.c | 19 | ||||
-rw-r--r-- | src/fnettrace/static-ip-map | 24 | ||||
-rw-r--r-- | src/man/firejail.txt | 86 |
8 files changed, 194 insertions, 25 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 94f970eb8..65907e8ee 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -675,7 +675,7 @@ void check_output(int argc, char **argv); | |||
675 | 675 | ||
676 | // netfilter.c | 676 | // netfilter.c |
677 | void netfilter_netlock(pid_t pid); | 677 | void netfilter_netlock(pid_t pid); |
678 | void netfilter_trace(pid_t pid); | 678 | void netfilter_trace(pid_t pid, const char *cmd); |
679 | void check_netfilter_file(const char *fname); | 679 | void check_netfilter_file(const char *fname); |
680 | void netfilter(const char *fname); | 680 | void netfilter(const char *fname); |
681 | void netfilter6(const char *fname); | 681 | void netfilter6(const char *fname); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 12c2cf02b..b6e076dfc 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -419,7 +419,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
419 | fprintf(stderr, "Error: --nettrace is only available to root user\n"); | 419 | fprintf(stderr, "Error: --nettrace is only available to root user\n"); |
420 | exit(1); | 420 | exit(1); |
421 | } | 421 | } |
422 | netfilter_trace(0); | 422 | netfilter_trace(0, LIBDIR "/firejail/fnettrace"); |
423 | } | 423 | } |
424 | else | 424 | else |
425 | exit_err_feature("networking"); | 425 | exit_err_feature("networking"); |
@@ -432,7 +432,57 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
432 | exit(1); | 432 | exit(1); |
433 | } | 433 | } |
434 | pid_t pid = require_pid(argv[i] + 11); | 434 | pid_t pid = require_pid(argv[i] + 11); |
435 | netfilter_trace(pid); | 435 | netfilter_trace(pid, LIBDIR "/firejail/fnettrace"); |
436 | } | ||
437 | else | ||
438 | exit_err_feature("networking"); | ||
439 | exit(0); | ||
440 | } | ||
441 | else if (strcmp(argv[i], "--nettrace-dns") == 0) { | ||
442 | if (checkcfg(CFG_NETWORK)) { | ||
443 | if (getuid() != 0) { | ||
444 | fprintf(stderr, "Error: --nettrace-dns is only available to root user\n"); | ||
445 | exit(1); | ||
446 | } | ||
447 | netfilter_trace(0, LIBDIR "/firejail/fnettrace-dns"); | ||
448 | } | ||
449 | else | ||
450 | exit_err_feature("networking"); | ||
451 | exit(0); | ||
452 | } | ||
453 | else if (strncmp(argv[i], "--nettrace-dns=", 15) == 0) { | ||
454 | if (checkcfg(CFG_NETWORK)) { | ||
455 | if (getuid() != 0) { | ||
456 | fprintf(stderr, "Error: --nettrace is only available to root user\n"); | ||
457 | exit(1); | ||
458 | } | ||
459 | pid_t pid = require_pid(argv[i] + 15); | ||
460 | netfilter_trace(pid, LIBDIR "/firejail/fnettrace-dns"); | ||
461 | } | ||
462 | else | ||
463 | exit_err_feature("networking"); | ||
464 | exit(0); | ||
465 | } | ||
466 | else if (strcmp(argv[i], "--nettrace-sni") == 0) { | ||
467 | if (checkcfg(CFG_NETWORK)) { | ||
468 | if (getuid() != 0) { | ||
469 | fprintf(stderr, "Error: --nettrace is only available to root user\n"); | ||
470 | exit(1); | ||
471 | } | ||
472 | netfilter_trace(0, LIBDIR "/firejail/fnettrace-sni"); | ||
473 | } | ||
474 | else | ||
475 | exit_err_feature("networking"); | ||
476 | exit(0); | ||
477 | } | ||
478 | else if (strncmp(argv[i], "--nettrace-sni=", 15) == 0) { | ||
479 | if (checkcfg(CFG_NETWORK)) { | ||
480 | if (getuid() != 0) { | ||
481 | fprintf(stderr, "Error: --nettrace is only available to root user\n"); | ||
482 | exit(1); | ||
483 | } | ||
484 | pid_t pid = require_pid(argv[i] + 15); | ||
485 | netfilter_trace(pid, LIBDIR "/firejail/fnettrace-sni"); | ||
436 | } | 486 | } |
437 | else | 487 | else |
438 | exit_err_feature("networking"); | 488 | exit_err_feature("networking"); |
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 686efb6cb..aab03c796 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -91,24 +91,20 @@ void netfilter_netlock(pid_t pid) { | |||
91 | // it will never get here!! | 91 | // it will never get here!! |
92 | } | 92 | } |
93 | 93 | ||
94 | void netfilter_trace(pid_t pid) { | 94 | void netfilter_trace(pid_t pid, const char *cmd) { |
95 | EUID_ASSERT(); | 95 | EUID_ASSERT(); |
96 | 96 | ||
97 | // a pid of 0 means the main system network namespace | 97 | // a pid of 0 means the main system network namespace |
98 | if (pid) | 98 | if (pid) |
99 | enter_network_namespace(pid); | 99 | enter_network_namespace(pid); |
100 | 100 | ||
101 | char *cmd; | ||
102 | if (asprintf(&cmd, "%s/firejail/fnettrace", LIBDIR) == -1) | ||
103 | errExit("asprintf"); | ||
104 | |||
105 | //************************ | 101 | //************************ |
106 | // build command | 102 | // build command |
107 | //************************ | 103 | //************************ |
108 | char *arg[4]; | 104 | char *arg[4]; |
109 | arg[0] = "/bin/sh"; | 105 | arg[0] = "/bin/sh"; |
110 | arg[1] = "-c"; | 106 | arg[1] = "-c"; |
111 | arg[2] = cmd; | 107 | arg[2] = (char *) cmd; |
112 | arg[3] = NULL; | 108 | arg[3] = NULL; |
113 | 109 | ||
114 | clearenv(); | 110 | clearenv(); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index e11081eed..17f5af434 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -153,7 +153,9 @@ static char *usage_str = | |||
153 | "\tparent interfaces.\n" | 153 | "\tparent interfaces.\n" |
154 | " --netns=name - Run the program in a named, persistent network namespace.\n" | 154 | " --netns=name - Run the program in a named, persistent network namespace.\n" |
155 | " --netstats - monitor network statistics.\n" | 155 | " --netstats - monitor network statistics.\n" |
156 | " --nettrace - monitor TCP and UDP traffic coming into the sandbox.\n" | 156 | " --nettrace - monitor received TCP, UDP and ICMP traffic.\n" |
157 | " --nettrace - monitor DNS queries.\n" | ||
158 | " --nettrace - monitor Server Name Indiication (TLS/SNI).\n" | ||
157 | #endif | 159 | #endif |
158 | " --nice=value - set nice value.\n" | 160 | " --nice=value - set nice value.\n" |
159 | " --no3d - disable 3D hardware acceleration.\n" | 161 | " --no3d - disable 3D hardware acceleration.\n" |
diff --git a/src/fnettrace-dns/main.c b/src/fnettrace-dns/main.c index 0281b5157..28c76a901 100644 --- a/src/fnettrace-dns/main.c +++ b/src/fnettrace-dns/main.c | |||
@@ -24,6 +24,8 @@ | |||
24 | #include <linux/if_ether.h> | 24 | #include <linux/if_ether.h> |
25 | #define MAX_BUF_SIZE (64 * 1024) | 25 | #define MAX_BUF_SIZE (64 * 1024) |
26 | 26 | ||
27 | static char last[512] = {'\0'}; | ||
28 | |||
27 | // pkt - start of DNS layer | 29 | // pkt - start of DNS layer |
28 | void print_dns(uint32_t ip_src, unsigned char *pkt) { | 30 | void print_dns(uint32_t ip_src, unsigned char *pkt) { |
29 | assert(pkt); | 31 | assert(pkt); |
@@ -33,6 +35,8 @@ void print_dns(uint32_t ip_src, unsigned char *pkt) { | |||
33 | time_t seconds = time(NULL); | 35 | time_t seconds = time(NULL); |
34 | struct tm *t = localtime(&seconds); | 36 | struct tm *t = localtime(&seconds); |
35 | 37 | ||
38 | int nxdomain = (*(pkt + 3) & 0x03 == 0x03)? 1: 0; | ||
39 | |||
36 | // expecting a single question count | 40 | // expecting a single question count |
37 | if (pkt[4] != 0 || pkt[5] != 1) | 41 | if (pkt[4] != 0 || pkt[5] != 1) |
38 | goto errout; | 42 | goto errout; |
@@ -49,8 +53,24 @@ void print_dns(uint32_t ip_src, unsigned char *pkt) { | |||
49 | len += delta;; | 53 | len += delta;; |
50 | ptr += delta; | 54 | ptr += delta; |
51 | } | 55 | } |
56 | if (*ptr != 0) | ||
57 | goto errout; | ||
58 | |||
59 | ptr++; | ||
60 | uint16_t type; | ||
61 | memcpy(&type, ptr, 2); | ||
62 | type = ntohs(type); | ||
63 | |||
64 | // filter output | ||
65 | char tmp[sizeof(last)]; | ||
66 | snprintf(tmp, sizeof(last), "%02d:%02d:%02d %-15s %s (type %u)%s", | ||
67 | t->tm_hour, t->tm_min, t->tm_sec, ip, pkt + 12 + 1, | ||
68 | type, (nxdomain)? " NXDOMAIN": ""); | ||
69 | if (strcmp(tmp, last)) { | ||
70 | printf("%s\n", tmp); | ||
71 | strcpy(last, tmp); | ||
72 | } | ||
52 | 73 | ||
53 | printf("%02d:%02d:%02d %15s %s\n", t->tm_hour, t->tm_min, t->tm_sec, ip, pkt + 12 + 1); | ||
54 | return; | 74 | return; |
55 | 75 | ||
56 | errout: | 76 | errout: |
diff --git a/src/fnettrace-sni/main.c b/src/fnettrace-sni/main.c index ea7a91548..571089e29 100644 --- a/src/fnettrace-sni/main.c +++ b/src/fnettrace-sni/main.c | |||
@@ -24,6 +24,8 @@ | |||
24 | #include <linux/if_ether.h> | 24 | #include <linux/if_ether.h> |
25 | #define MAX_BUF_SIZE (64 * 1024) | 25 | #define MAX_BUF_SIZE (64 * 1024) |
26 | 26 | ||
27 | static char last[512] = {'\0'}; | ||
28 | |||
27 | // pkt - start of TLS layer | 29 | // pkt - start of TLS layer |
28 | static void print_tls(uint32_t ip_dest, unsigned char *pkt, unsigned len) { | 30 | static void print_tls(uint32_t ip_dest, unsigned char *pkt, unsigned len) { |
29 | assert(pkt); | 31 | assert(pkt); |
@@ -67,18 +69,25 @@ static void print_tls(uint32_t ip_dest, unsigned char *pkt, unsigned len) { | |||
67 | i++; | 69 | i++; |
68 | } | 70 | } |
69 | 71 | ||
70 | if (name) | 72 | if (name) { |
71 | printf("%02d:%02d:%02d %15s %s\n", t->tm_hour, t->tm_min, t->tm_sec, ip, name); | 73 | // filter output |
74 | char tmp[sizeof(last)]; | ||
75 | snprintf(tmp, sizeof(last), "%02d:%02d:%02d %-15s %s", t->tm_hour, t->tm_min, t->tm_sec, ip, name); | ||
76 | if (strcmp(tmp, last)) { | ||
77 | printf("%s\n", tmp); | ||
78 | strcpy(last, tmp); | ||
79 | } | ||
80 | } | ||
72 | else | 81 | else |
73 | goto nosni; | 82 | goto nosni; |
74 | return; | 83 | return; |
75 | 84 | ||
76 | errout: | 85 | errout: |
77 | printf("%02d:%02d:%02d %15s Error: invalid TLS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip); | 86 | printf("%02d:%02d:%02d %-15s Error: invalid TLS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip); |
78 | return; | 87 | return; |
79 | 88 | ||
80 | nosni: | 89 | nosni: |
81 | printf("%02d:%02d:%02d %15s no SNI\n", t->tm_hour, t->tm_min, t->tm_sec, ip); | 90 | printf("%02d:%02d:%02d %-15s no SNI\n", t->tm_hour, t->tm_min, t->tm_sec, ip); |
82 | return; | 91 | return; |
83 | } | 92 | } |
84 | 93 | ||
@@ -131,7 +140,7 @@ static void custom_bpf(int sock) { | |||
131 | } | 140 | } |
132 | 141 | ||
133 | static void run_trace(void) { | 142 | static void run_trace(void) { |
134 | // grab all Ethernet packets and use a custom BPF filter to get only UDP from source port 53 | 143 | // grab all Ethernet packets and use a custom BPF filter to get TLS/SNI packets |
135 | int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); | 144 | int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); |
136 | if (s < 0) | 145 | if (s < 0) |
137 | errExit("socket"); | 146 | errExit("socket"); |
diff --git a/src/fnettrace/static-ip-map b/src/fnettrace/static-ip-map index 97e626526..f9cd907e5 100644 --- a/src/fnettrace/static-ip-map +++ b/src/fnettrace/static-ip-map | |||
@@ -78,6 +78,7 @@ | |||
78 | 45.90.28.0/22 NextDNS | 78 | 45.90.28.0/22 NextDNS |
79 | 149.112.112.0/24 Quad9 DNS | 79 | 149.112.112.0/24 Quad9 DNS |
80 | 149.112.120.0/21 CIRA DNS Canada | 80 | 149.112.120.0/21 CIRA DNS Canada |
81 | 146.255.56.96/29 Applied Privacy | ||
81 | 176.103.128.0/19 Adguard DNS | 82 | 176.103.128.0/19 Adguard DNS |
82 | 185.228.168.0/24 Cleanbrowsing DNS | 83 | 185.228.168.0/24 Cleanbrowsing DNS |
83 | 208.67.216.0/21 OpenDNS | 84 | 208.67.216.0/21 OpenDNS |
@@ -94,13 +95,14 @@ | |||
94 | 95 | ||
95 | # some popular websites | 96 | # some popular websites |
96 | 23.160.0.0/24 Twitch | 97 | 23.160.0.0/24 Twitch |
97 | 23.246.0.0/18, Netflix | 98 | 23.246.0.0/18 Netflix |
98 | 31.13.24.0/21 Facebook | 99 | 31.13.24.0/21 Facebook |
99 | 31.13.64.0/18 Facebook | 100 | 31.13.64.0/18 Facebook |
100 | 37.77.184.0/21 Netflix | 101 | 37.77.184.0/21 Netflix |
101 | 45.57.0.0/17 Netflix | 102 | 45.57.0.0/17 Netflix |
102 | 45.58.64.0/20 Dropbox | 103 | 45.58.64.0/20 Dropbox |
103 | 45.113.128.0/22 Twitch | 104 | 45.113.128.0/22 Twitch |
105 | 47.88.0.0/14 Alibaba | ||
104 | 52.223.192.0/18 Twitch | 106 | 52.223.192.0/18 Twitch |
105 | 63.245.208.0/23 Mozilla | 107 | 63.245.208.0/23 Mozilla |
106 | 64.63.0.0/18 Twitter | 108 | 64.63.0.0/18 Twitter |
@@ -122,12 +124,12 @@ | |||
122 | 99.181.64.0/18 Twitch | 124 | 99.181.64.0/18 Twitch |
123 | 103.53.48.0/23 Twitch | 125 | 103.53.48.0/23 Twitch |
124 | 104.244.40.0/21 Twitter | 126 | 104.244.40.0/21 Twitter |
125 | 129.134.0.0/16 Facebook | ||
126 | 140.82.112.0/20 GitHub | ||
127 | 103.10.124.0/23 Steam | 127 | 103.10.124.0/23 Steam |
128 | 103.28.54.0/24 Steam | 128 | 103.28.54.0/24 Steam |
129 | 108.160.160.0/20 Dropbox | 129 | 108.160.160.0/20 Dropbox |
130 | 108.175.32.0/20 Netflix | 130 | 108.175.32.0/20 Netflix |
131 | 129.134.0.0/16 Facebook | ||
132 | 140.82.112.0/20 GitHub | ||
131 | 143.55.64.0/20 Github | 133 | 143.55.64.0/20 Github |
132 | 146.66.152.0/24 Steam | 134 | 146.66.152.0/24 Steam |
133 | 146.66.155.0/24 Steam | 135 | 146.66.155.0/24 Steam |
@@ -146,6 +148,7 @@ | |||
146 | 162.125.0.0/16 Dropbox | 148 | 162.125.0.0/16 Dropbox |
147 | 162.213.32.0/22 Ubuntu One | 149 | 162.213.32.0/22 Ubuntu One |
148 | 162.254.192.0/21 Steam | 150 | 162.254.192.0/21 Steam |
151 | 172.98.56.0/22 Rumble | ||
149 | 185.2.220.0/22 Netflix | 152 | 185.2.220.0/22 Netflix |
150 | 185.9.188.0/22 Netflix | 153 | 185.9.188.0/22 Netflix |
151 | 185.25.182.0/23 Steam | 154 | 185.25.182.0/23 Steam |
@@ -156,6 +159,7 @@ | |||
156 | 185.105.164.0/24 Dropbox | 159 | 185.105.164.0/24 Dropbox |
157 | 185.125.188.0/22 Ubuntu One | 160 | 185.125.188.0/22 Ubuntu One |
158 | 185.199.108.0/22 GitHub | 161 | 185.199.108.0/22 GitHub |
162 | 185.205.69.0/24 Tutanota | ||
159 | 188.64.224.0/21 Twitter | 163 | 188.64.224.0/21 Twitter |
160 | 190.217.33.0/24 Steam | 164 | 190.217.33.0/24 Steam |
161 | 192.0.64.0/18 Wordpress | 165 | 192.0.64.0/18 Wordpress |
@@ -179,9 +183,23 @@ | |||
179 | 208.78.164.0/22 Steam | 183 | 208.78.164.0/22 Steam |
180 | 208.80.152.0/22 Wikipedia | 184 | 208.80.152.0/22 Wikipedia |
181 | 185 | ||
186 | # WholeSale Internet | ||
187 | 69.197.128.0/18 WholeSale Internet | ||
188 | 173.208.128.0/17 WholeSale Internet | ||
189 | 204.12.192.0/18 WholeSale Internet | ||
190 | 208.110.64.0/19 WholeSale Internet | ||
191 | 208.110.91.0/24 WholeSale Internet | ||
192 | 208.67.0.0/21 WholeSale Internet | ||
193 | |||
182 | # StackPath | 194 | # StackPath |
195 | 69.16.173.0/24 StackPath | ||
196 | 69.16.174.0/23 StackPath | ||
197 | 69.16.176.0/20 StackPath | ||
183 | 151.139.0.0/16 StackPath | 198 | 151.139.0.0/16 StackPath |
184 | 199 | ||
200 | # Linode | ||
201 | 172.104.0.0/15 Linode | ||
202 | |||
185 | # Akamai | 203 | # Akamai |
186 | 23.0.0.0/12 Akamai | 204 | 23.0.0.0/12 Akamai |
187 | 23.32.0.0/11 Akamai | 205 | 23.32.0.0/11 Akamai |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 82eea3977..3b743386e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1548,7 +1548,7 @@ PID User RX(KB/s) TX(KB/s) Command | |||
1548 | 7383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission | 1548 | 7383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission |
1549 | .TP | 1549 | .TP |
1550 | \fB\-\-nettrace[=name|pid] | 1550 | \fB\-\-nettrace[=name|pid] |
1551 | Monitor TCP and UDP traffic coming into the sandbox specified by name or pid. Only networked sandboxes | 1551 | Monitor received TCP. UDP, and ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes |
1552 | created with \-\-net are supported. This option is only available when running the sandbox as root. | 1552 | created with \-\-net are supported. This option is only available when running the sandbox as root. |
1553 | .br | 1553 | .br |
1554 | 1554 | ||
@@ -1557,9 +1557,7 @@ Without a name/pid, Firejail will monitor the main system network namespace. | |||
1557 | .br | 1557 | .br |
1558 | 1558 | ||
1559 | .br | 1559 | .br |
1560 | $ sudo firejail --nettrace=browser | 1560 | $ sudo firejail --nettrace=browser |
1561 | .br | ||
1562 | |||
1563 | .br | 1561 | .br |
1564 | 95 KB/s geoip 457, IP database 4436 | 1562 | 95 KB/s geoip 457, IP database 4436 |
1565 | .br | 1563 | .br |
@@ -1576,10 +1574,86 @@ Without a name/pid, Firejail will monitor the main system network namespace. | |||
1576 | 1574 | ||
1577 | .br | 1575 | .br |
1578 | If /usr/bin/geoiplookup is installed (geoip-bin package in Debian), | 1576 | If /usr/bin/geoiplookup is installed (geoip-bin package in Debian), |
1579 | the country the IP address originates from is added to the trace. | 1577 | the country the traffic originates from is added to the trace. |
1580 | We also use the static IP map in /etc/firejail/hostnames | 1578 | We also use the static IP map in /usr/lib/firejail/static-ip-map |
1581 | to print the domain names for some of the more common websites and cloud platforms. | 1579 | to print the domain names for some of the more common websites and cloud platforms. |
1582 | No external services are contacted for reverse IP lookup. | 1580 | No external services are contacted for reverse IP lookup. |
1581 | .TP | ||
1582 | \fB\-\-nettrace-dns[=name|pid] | ||
1583 | Monitor DNS queries. The sandbox can be specified by name or pid. Only networked sandboxes | ||
1584 | created with \-\-net are supported. This option is only available when running the sandbox as root. | ||
1585 | .br | ||
1586 | |||
1587 | .br | ||
1588 | Without a name/pid, Firejail will monitor the main system network namespace. | ||
1589 | .br | ||
1590 | |||
1591 | .br | ||
1592 | $ sudo firejail --nettrace-dns=browser | ||
1593 | .br | ||
1594 | 11:31:43 9.9.9.9 linux.com (type 1) | ||
1595 | .br | ||
1596 | 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN | ||
1597 | .br | ||
1598 | 11:31:45 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN | ||
1599 | .br | ||
1600 | 11:31:45 9.9.9.9 www.linux.com (type 1) | ||
1601 | .br | ||
1602 | 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN | ||
1603 | .br | ||
1604 | 11:31:52 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN | ||
1605 | .br | ||
1606 | 11:32:05 9.9.9.9 secure.gravatar.com (type 1) | ||
1607 | .br | ||
1608 | 11:32:06 9.9.9.9 secure.gravatar.com (type 1) | ||
1609 | .br | ||
1610 | 11:32:08 9.9.9.9 taikai.network (type 1) | ||
1611 | .br | ||
1612 | 11:32:08 9.9.9.9 cdn.jsdelivr.net (type 1) | ||
1613 | .br | ||
1614 | 11:32:08 9.9.9.9 taikai.azureedge.net (type 1) | ||
1615 | .br | ||
1616 | 11:32:08 9.9.9.9 www.youtube.com (type 1) | ||
1617 | .br | ||
1618 | .TP | ||
1619 | \fB\-\-nettrace-sni[=name|pid] | ||
1620 | Monitor Server Name Indication (TLS/SNI). The sandbox can be specified by name or pid. Only networked sandboxes | ||
1621 | created with \-\-net are supported. This option is only available when running the sandbox as root. | ||
1622 | .br | ||
1623 | |||
1624 | .br | ||
1625 | Without a name/pid, Firejail will monitor the main system network namespace. | ||
1626 | .br | ||
1627 | |||
1628 | .br | ||
1629 | $ sudo firejail --nettrace-sni=browser | ||
1630 | .br | ||
1631 | 07:49:51 23.185.0.3 linux.com | ||
1632 | .br | ||
1633 | 07:49:51 23.185.0.3 www.linux.com | ||
1634 | .br | ||
1635 | 07:50:05 192.0.73.2 secure.gravatar.com | ||
1636 | .br | ||
1637 | 07:52:35 172.67.68.93 www.howtoforge.com | ||
1638 | .br | ||
1639 | 07:52:37 13.225.103.59 sf.ezoiccdn.com | ||
1640 | .br | ||
1641 | 07:52:42 142.250.176.3 www.gstatic.com | ||
1642 | .br | ||
1643 | 07:53:03 173.236.250.32 www.linuxlinks.com | ||
1644 | .br | ||
1645 | 07:53:05 192.0.77.37 c0.wp.com | ||
1646 | .br | ||
1647 | 07:53:08 192.0.78.32 jetpack.wordpress.com | ||
1648 | .br | ||
1649 | 07:53:09 192.0.77.32 s0.wp.com | ||
1650 | .br | ||
1651 | 07:53:09 192.0.77.2 i0.wp.com | ||
1652 | .br | ||
1653 | 07:53:10 192.0.77.2 i0.wp.com | ||
1654 | .br | ||
1655 | 07:53:11 192.0.73.2 1.gravatar.com | ||
1656 | .br | ||
1583 | #endif | 1657 | #endif |
1584 | .TP | 1658 | .TP |
1585 | \fB\-\-nice=value | 1659 | \fB\-\-nice=value |