From e0d9eca92d2ef959e95a8326cc835b6c7653f462 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 10 Feb 2016 20:18:27 -0500 Subject: STUN/WebRTC disabled in default netfilter configuration --- src/firejail/netfilter.c | 7 ++++++- src/man/firejail.txt | 12 ++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index a1c1b9c16..2ed09434a 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c @@ -30,12 +30,17 @@ static char *client_filter = ":FORWARD DROP [0:0]\n" ":OUTPUT ACCEPT [0:0]\n" "-A INPUT -i lo -j ACCEPT\n" +"-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" "# echo replay is handled by -m state RELATED/ESTABLISHED below\n" "#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n" -"-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" "-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n" "-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n" "-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n" +"# disable STUN\n" +"-A OUTPUT -p udp --dport 3478 -j DROP\n" +"-A OUTPUT -p udp --dport 3479 -j DROP\n" +"-A OUTPUT -p tcp --dport 3478 -j DROP\n" +"-A OUTPUT -p tcp --dport 3479 -j DROP\n" "COMMIT\n"; void check_netfilter_file(const char *fname) { diff --git a/src/man/firejail.txt b/src/man/firejail.txt index bab596e96..784f1583e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -679,12 +679,24 @@ The default filter is as follows: .br \-A INPUT \-m state \-\-state RELATED,ESTABLISHED \-j ACCEPT .br +# allow ping +.br \-A INPUT \-p icmp \-\-icmp-type destination-unreachable \-j ACCEPT .br \-A INPUT \-p icmp \-\-icmp-type time-exceeded \-j ACCEPT .br \-A INPUT \-p icmp \-\-icmp-type echo-request \-j ACCEPT .br +# drop STUN (WebRTC) requests +.br +-A OUTPUT -p udp --dport 3478 -j DROP +.br +-A OUTPUT -p udp --dport 3479 -j DROP +.br +-A OUTPUT -p tcp --dport 3478 -j DROP +.br +-A OUTPUT -p tcp --dport 3479 -j DROP +.br COMMIT .br -- cgit v1.2.3-70-g09d2