From e0d9eca92d2ef959e95a8326cc835b6c7653f462 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 10 Feb 2016 20:18:27 -0500
Subject: STUN/WebRTC disabled in default netfilter configuration

---
 src/man/firejail.txt | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'src/man/firejail.txt')

diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index bab596e96..784f1583e 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -679,12 +679,24 @@ The default filter is as follows:
 .br
 \-A INPUT \-m state \-\-state RELATED,ESTABLISHED \-j ACCEPT
 .br
+# allow ping
+.br
 \-A INPUT \-p icmp \-\-icmp-type destination-unreachable \-j ACCEPT
 .br
 \-A INPUT \-p icmp \-\-icmp-type time-exceeded \-j ACCEPT
 .br
 \-A INPUT \-p icmp \-\-icmp-type echo-request \-j ACCEPT
 .br
+# drop STUN (WebRTC) requests
+.br
+-A OUTPUT -p udp --dport 3478 -j DROP
+.br
+-A OUTPUT -p udp --dport 3479 -j DROP
+.br
+-A OUTPUT -p tcp --dport 3478 -j DROP
+.br
+-A OUTPUT -p tcp --dport 3479 -j DROP
+.br
 COMMIT
 .br
 
-- 
cgit v1.2.3-70-g09d2