github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2145] Question : browser configured with proxy #1453

New issue

Closed

opened 2026-05-05 08:06:54 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 08:06:54 -06:00

Owner

Originally created by @deb75 on GitHub (Oct 8, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2145

Hello,

I configured firefox to use privoxy, which is listening on 127.0.0.1:8118

Trouble is that when I use firejail this way :

firejail --private --net=wlp1s0 --name=browser firefox

the browser can no longer connect itself to the proxy, because of option --net=wlp1s0.

I figured out two ways to overcome this issue :

launch privoxy inside the firejail itself :

firejail --join=browser privoxy

configure the firewall to redirect all outgoing connexions to 80/443 ports to privoxy,
so as to create a transparent privoxy

I wonder nevertheless if there would be a more direct solution with firejail, like enable some connexions on the lo outside the network namespace ? Which way do you think is the best ?

Originally created by @deb75 on GitHub (Oct 8, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2145 Hello, I configured `firefox` to use `privoxy`, which is listening on `127.0.0.1:8118` Trouble is that when I use `firejail` this way : ``` firejail --private --net=wlp1s0 --name=browser firefox ``` the browser can no longer connect itself to the proxy, because of option `--net=wlp1s0`. I figured out two ways to overcome this issue : - launch privoxy inside the firejail itself : ``` firejail --join=browser privoxy ``` - configure the firewall to redirect all outgoing connexions to 80/443 ports to privoxy, so as to create a transparent privoxy I wonder nevertheless if there would be a more direct solution with `firejail`, like enable some connexions on the lo outside the network namespace ? Which way do you think is the best ?

gitea-mirror closed this issue

2026-05-05 08:06:55 -06:00

gitea-mirror commented

2026-05-05 08:06:57 -06:00

Author

Owner

@netblue30 commented on GitHub (Oct 8, 2018):

The problem is each namespace comes with its own independent loopback interface, so you would have to start a privoxy instance in each sandbox. Can you run multiple instances on privoxy on the same filesystem?

@netblue30 commented on GitHub (Oct 8, 2018): The problem is each namespace comes with its own independent loopback interface, so you would have to start a privoxy instance in each sandbox. Can you run multiple instances on privoxy on the same filesystem?

gitea-mirror commented

2026-05-05 08:06:58 -06:00

Author

Owner

@deb75 commented on GitHub (Oct 8, 2018):

It should be doable, one needs to configure each privoxy instance with at least a different pid file.

Nevertheless, I am trying to configure a transparent privoxy with iptables, it seems to me easier to perform and maintain.

Regards

@deb75 commented on GitHub (Oct 8, 2018): It should be doable, one needs to configure each privoxy instance with at least a different pid file. Nevertheless, I am trying to configure a transparent privoxy with `iptables`, it seems to me easier to perform and maintain. Regards

gitea-mirror commented

2026-05-05 08:06:59 -06:00

Author

Owner

@crass commented on GitHub (Oct 8, 2018):

Here's two solutions for running a single privoxy process:

Setup a dedicated bridge interface, have privoxy listen on that interface and your jails send requests there. Privoxy need not be in a jail, but it could be. See this tutorial for how to setup the bridge interface. The whole tutorial is long, but you'll just need the bridge setup part. The rest is definitely worth the read if you want to jail with respect to X (if you don't your exploited browser will be able to keylog you and record your desktop).
Another easier solution is to have privoxy listen on your outbound interface and point your browser there. Only thing is that it probably won't play nice if your ip changes (ie you're mobile).

@crass commented on GitHub (Oct 8, 2018): Here's two solutions for running a single `privoxy` process: 1. Setup a dedicated bridge interface, have `privoxy` listen on that interface and your jails send requests there. Privoxy need not be in a jail, but it could be. See this [tutorial](https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Sandboxing_the_Firefox_Browser_with_Firejail) for how to setup the bridge interface. The whole tutorial is long, but you'll just need the bridge setup part. The rest is definitely worth the read if you want to jail with respect to X (if you don't your exploited browser will be able to keylog you and record your desktop). 1. Another easier solution is to have `privoxy` listen on your outbound interface and point your browser there. Only thing is that it probably won't play nice if your ip changes (ie you're mobile).

gitea-mirror commented

2026-05-05 08:07:00 -06:00

Author

Owner

@deb75 commented on GitHub (Oct 11, 2018):

@crass : thanks for the solutions, I chose the first one which is quite easy to perform.
Then I just have to pass --net=br0 to firejail and it works great.

@deb75 commented on GitHub (Oct 11, 2018): @crass : thanks for the solutions, I chose the first one which is quite easy to perform. Then I just have to pass `--net=br0` to firejail and it works great.

gitea-mirror referenced this issue

2026-05-05 10:11:26 -06:00

[PR #1453] [MERGED] Add TuxGuitar profile #3975

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1453

No description provided.

Rows
Columns