[GH-ISSUE #1600] Is there a recommended workaround for using wlan interfaces with firejail? #1068

New issue

Closed

opened 2026-05-05 07:24:39 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 07:24:39 -06:00

Owner

Originally created by @sakaki- on GitHub (Oct 9, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1600

Hi, many thanks for making this software available, it's an extremely useful tool!

I have been using firejail for a while now on my desktop machine with firefox, thunderbird etc. each running in its own xephyr X11 sandbox, with --net=eth0. Since this type of setup provides a good security boost to probably the most vulnerable components on most people's systems, I'd like to add instructions for using it to my EFI Install Guide on the Gentoo wiki.

However, I understand from the firejail manpage that the --net= option is incompatible with wlan interfaces. Since many users of my guide install to laptops with only WiFi, no Ethernet, my question is this: is there a recommended workaround for these cases? For example, can a tun interface be used in firejail, with packets being forwarded to the wlan via iptables rules, or something similar?

Originally created by @sakaki- on GitHub (Oct 9, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1600 Hi, many thanks for making this software available, it's an extremely useful tool! I have been using `firejail` for a while now on my desktop machine with `firefox`, `thunderbird` etc. each running in its own `xephyr` X11 sandbox, with `--net=eth0`. Since this type of setup provides a good security boost to probably the most vulnerable components on most people's systems, I'd like to add instructions for using it to my [EFI Install Guide](https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide) on the Gentoo wiki. However, I understand from the `firejail` manpage that the `--net=` option is incompatible with wlan interfaces. Since many users of my guide install to laptops with only WiFi, no Ethernet, my question is this: is there a recommended workaround for these cases? For example, can a `tun` interface be used in `firejail`, with packets being forwarded to the wlan via `iptables` rules, or something similar?

gitea-mirror

2026-05-05 07:24:39 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 07:24:44 -06:00

Author

Owner

@netblue30 commented on GitHub (Oct 11, 2017):

Try this setup: https://firejail.wordpress.com/documentation-2/basic-usage/#routed

You would need to configure a bridge device and start the sandboxes on that bridge. You will also need to set iptables on the main system to do network address translation between the bridge and your wlan interface. I think if you change eth0 with wlan0 in that script it will work.

@netblue30 commented on GitHub (Oct 11, 2017): Try this setup: https://firejail.wordpress.com/documentation-2/basic-usage/#routed You would need to configure a bridge device and start the sandboxes on that bridge. You will also need to set iptables on the main system to do network address translation between the bridge and your wlan interface. I think if you change eth0 with wlan0 in that script it will work.

gitea-mirror commented

2026-05-05 07:24:46 -06:00

Author

Owner

@sakaki- commented on GitHub (Oct 11, 2017):

Thanks - I'll try that.

@sakaki- commented on GitHub (Oct 11, 2017): Thanks - I'll try that.

gitea-mirror referenced this issue

2026-05-05 10:08:57 -06:00

[PR #1068] [MERGED] Fix for uudeview #3842

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1068

No description provided.

Rows
Columns