From a0985a135392c0776d45cf8e27ebf15bc7fff198 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 23 Oct 2022 07:38:29 -0400 Subject: dnstrace and snitrace --- src/man/firejail.txt | 159 +++++++++++++++++++++++++++------------------------ 1 file changed, 83 insertions(+), 76 deletions(-) (limited to 'src/man/firejail.txt') diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c26d21ec9..49fd18a04 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -779,6 +779,46 @@ $ firejail \-\-list .br $ firejail \-\-dns.print=3272 +#ifdef HAVE_NETWORK +.TP +\fB\-\-dnstrace[=name|pid] +Monitor DNS queries. The sandbox can be specified by name or pid. Only networked sandboxes +created with \-\-net are supported. This option is only available when running the sandbox as root. +.br + +.br +Without a name/pid, Firejail will monitor the main system network namespace. +.br + +.br +$ sudo firejail --dnstrace=browser +.br +11:31:43 9.9.9.9 linux.com (type 1) +.br +11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN +.br +11:31:45 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN +.br +11:31:45 9.9.9.9 www.linux.com (type 1) +.br +11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN +.br +11:31:52 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN +.br +11:32:05 9.9.9.9 secure.gravatar.com (type 1) +.br +11:32:06 9.9.9.9 secure.gravatar.com (type 1) +.br +11:32:08 9.9.9.9 taikai.network (type 1) +.br +11:32:08 9.9.9.9 cdn.jsdelivr.net (type 1) +.br +11:32:08 9.9.9.9 taikai.azureedge.net (type 1) +.br +11:32:08 9.9.9.9 www.youtube.com (type 1) +.br +#endif + .TP \fB\-\-env=name=value Set environment variable in the new sandbox. @@ -1578,82 +1618,6 @@ the country the traffic originates from is added to the trace. We also use the static IP map in /usr/lib/firejail/static-ip-map to print the domain names for some of the more common websites and cloud platforms. No external services are contacted for reverse IP lookup. -.TP -\fB\-\-nettrace-dns[=name|pid] -Monitor DNS queries. The sandbox can be specified by name or pid. Only networked sandboxes -created with \-\-net are supported. This option is only available when running the sandbox as root. -.br - -.br -Without a name/pid, Firejail will monitor the main system network namespace. -.br - -.br -$ sudo firejail --nettrace-dns=browser -.br -11:31:43 9.9.9.9 linux.com (type 1) -.br -11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN -.br -11:31:45 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN -.br -11:31:45 9.9.9.9 www.linux.com (type 1) -.br -11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN -.br -11:31:52 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN -.br -11:32:05 9.9.9.9 secure.gravatar.com (type 1) -.br -11:32:06 9.9.9.9 secure.gravatar.com (type 1) -.br -11:32:08 9.9.9.9 taikai.network (type 1) -.br -11:32:08 9.9.9.9 cdn.jsdelivr.net (type 1) -.br -11:32:08 9.9.9.9 taikai.azureedge.net (type 1) -.br -11:32:08 9.9.9.9 www.youtube.com (type 1) -.br -.TP -\fB\-\-nettrace-sni[=name|pid] -Monitor Server Name Indication (TLS/SNI). The sandbox can be specified by name or pid. Only networked sandboxes -created with \-\-net are supported. This option is only available when running the sandbox as root. -.br - -.br -Without a name/pid, Firejail will monitor the main system network namespace. -.br - -.br -$ sudo firejail --nettrace-sni=browser -.br -07:49:51 23.185.0.3 linux.com -.br -07:49:51 23.185.0.3 www.linux.com -.br -07:50:05 192.0.73.2 secure.gravatar.com -.br -07:52:35 172.67.68.93 www.howtoforge.com -.br -07:52:37 13.225.103.59 sf.ezoiccdn.com -.br -07:52:42 142.250.176.3 www.gstatic.com -.br -07:53:03 173.236.250.32 www.linuxlinks.com -.br -07:53:05 192.0.77.37 c0.wp.com -.br -07:53:08 192.0.78.32 jetpack.wordpress.com -.br -07:53:09 192.0.77.32 s0.wp.com -.br -07:53:09 192.0.77.2 i0.wp.com -.br -07:53:10 192.0.77.2 i0.wp.com -.br -07:53:11 192.0.73.2 1.gravatar.com -.br #endif .TP \fB\-\-nice=value @@ -2833,6 +2797,49 @@ $ firejail \-\-list 3272:netblue::firejail \-\-private firefox .br $ firejail \-\-shutdown=3272 + +#ifdef HAVE_NETWORK +.TP +\fB\-\-snitrace[=name|pid] +Monitor Server Name Indication (TLS/SNI). The sandbox can be specified by name or pid. Only networked sandboxes +created with \-\-net are supported. This option is only available when running the sandbox as root. +.br + +.br +Without a name/pid, Firejail will monitor the main system network namespace. +.br + +.br +$ sudo firejail --snitrace=browser +.br +07:49:51 23.185.0.3 linux.com +.br +07:49:51 23.185.0.3 www.linux.com +.br +07:50:05 192.0.73.2 secure.gravatar.com +.br +07:52:35 172.67.68.93 www.howtoforge.com +.br +07:52:37 13.225.103.59 sf.ezoiccdn.com +.br +07:52:42 142.250.176.3 www.gstatic.com +.br +07:53:03 173.236.250.32 www.linuxlinks.com +.br +07:53:05 192.0.77.37 c0.wp.com +.br +07:53:08 192.0.78.32 jetpack.wordpress.com +.br +07:53:09 192.0.77.32 s0.wp.com +.br +07:53:09 192.0.77.2 i0.wp.com +.br +07:53:10 192.0.77.2 i0.wp.com +.br +07:53:11 192.0.73.2 1.gravatar.com +.br +#endif + .TP \fB\-\-tab Enable shell tab completion in sandboxes using private or whitelisted home directories. -- cgit v1.2.3-70-g09d2