github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2321] netfilter-default in firejail.config does not appear to be working #1548

New issue

Closed

opened 2026-05-05 08:12:32 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 08:12:32 -06:00

Owner

Originally created by @sta-c0000 on GitHub (Dec 28, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2321

Environment:
firejail version 0.9.56
Linux buster 4.18.0-3-amd64 #1 SMP Debian 4.18.20-2 (2018-11-23) x86_64 GNU/Linux

If a netfilter-default entry is in firejail.config, it does not take effect when netfilter is not specified or when netfilter is specified without file argument (profile or command line). Instead we get no rules or firejail's hardcoded iptables rules are applied by default.

Line added in firejail.config:
netfilter-default /etc/firejail/dropall.net

cat /etc/firejail/dropall.net  # NOT USEFUL rules!, just to test this...
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A OUTPUT -p udp -m udp --dport 53
COMMIT

firejail --net=wlp6s0 --name=nftest # (as user)
firejail --join-network=nftest iptables -nL  # (as root) shows default hardcoded rules

# Need to specify netfilter on command line, or in (.local / globals.local) profiles:
firejail --net=wlp6s0 --name=nftest --netfilter=/etc/firejail/dropall.net # works

I was expecting netfilter-default to take effect whenever there was no netfilter specified or when netfilter was specified without a file argument (as most profiles do). That's also how I interpret the comment in firejail.config above # netfilter-default….

Ideally, I would have liked root controlled whitelisted network access for everything.
So nothing would have access by default, then each app could get limited network namespace access (e.g. Mail client would have its own netfilter rules to reach mail server and specific ports only; Client-server app would have access to specific ports at database server only, etc.).
So basically an "application firewall"; we can nearly achieve this using firejail.
Unfortunately, user has full control over sandbox netfilter rules, so breaking out is easy with firejail the moment you allow restricted-network no.

But at least it would be nice to have control over the default netfilter rules.

Thank you!

Originally created by @sta-c0000 on GitHub (Dec 28, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2321 Environment: firejail version 0.9.56 Linux buster 4.18.0-3-amd64 #1 SMP Debian 4.18.20-2 (2018-11-23) x86_64 GNU/Linux If a `netfilter-default` entry is in `firejail.config`, it does not take effect when `netfilter` is not specified or when `netfilter` is specified without file argument (profile or command line). Instead we get no rules or firejail's hardcoded iptables rules are applied by default. Line added in firejail.config: `netfilter-default /etc/firejail/dropall.net` ```sh cat /etc/firejail/dropall.net # NOT USEFUL rules!, just to test this... *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A OUTPUT -p udp -m udp --dport 53 COMMIT firejail --net=wlp6s0 --name=nftest # (as user) firejail --join-network=nftest iptables -nL # (as root) shows default hardcoded rules # Need to specify netfilter on command line, or in (.local / globals.local) profiles: firejail --net=wlp6s0 --name=nftest --netfilter=/etc/firejail/dropall.net # works ``` I was expecting `netfilter-default` to take effect whenever there was no `netfilter` specified or when `netfilter` was specified without a file argument (as most profiles do). That's also how I interpret the comment in `firejail.config` above `# netfilter-default…`. Ideally, I would have liked root controlled whitelisted network access for everything. So nothing would have access by default, then each app could get limited network namespace access (e.g. Mail client would have its own netfilter rules to reach mail server and specific ports only; Client-server app would have access to specific ports at database server only, etc.). So basically an _"application firewall"_; we can nearly achieve this using firejail. Unfortunately, user has full control over sandbox netfilter rules, so breaking out is easy with firejail the moment you allow `restricted-network no`. But at least it would be nice to have control over the default netfilter rules. Thank you!

gitea-mirror

2026-05-05 08:12:32 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 08:12:35 -06:00

Author

Owner

@netblue30 commented on GitHub (Jan 9, 2019):

Thanks for the bug. I have a fix in:

314dde5d94

I was expecting netfilter-default to take effect whenever there was no netfilter

It is a little bit different. Without a --netfilter on the command line or in the profile file, the sandbox will not attempt to set iptables. It also needs you to configure a network namespace (--net command) because it cannot change iptables config for the main network namespace.

You can make the command global by adding it to /etc/firejail/globals.local:

# echo "netfilter" >> /etc/firejail/globals.local

globals.local file is included from all profile files, including the default one.

@netblue30 commented on GitHub (Jan 9, 2019): Thanks for the bug. I have a fix in: https://github.com/netblue30/firejail/commit/314dde5d94b0c14dd5bb8a3eda1435b64e007a4b > I was expecting netfilter-default to take effect whenever there was no netfilter It is a little bit different. Without a --netfilter on the command line or in the profile file, the sandbox will not attempt to set iptables. It also needs you to configure a network namespace (--net command) because it cannot change iptables config for the main network namespace. You can make the command global by adding it to /etc/firejail/globals.local: ````` # echo "netfilter" >> /etc/firejail/globals.local ````` globals.local file is included from all profile files, including the default one.

gitea-mirror referenced this issue

2026-05-05 10:12:12 -06:00

[PR #1548] [MERGED] goobox enhancements #4015

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1548

No description provided.

Rows
Columns