github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3306] many builtin profiles use netfilter with system net namespace #2075

New issue

Closed

opened 2026-05-05 08:44:33 -06:00 by gitea-mirror · 7 comments

gitea-mirror commented

2026-05-05 08:44:33 -06:00

Owner

Originally created by @jonleivent on GitHub (Mar 29, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3306

The firejail man page says that using netfilter with the system network namespace does nothing. But many builtin firejail profiles do use netfilter with the system network namespace.

Also, is there some set of netfilter files available to use? For instance, it would be nice to have a netfilter for email clients parameterized by one's email provider.

Originally created by @jonleivent on GitHub (Mar 29, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3306 The firejail man page says that using netfilter with the system network namespace does nothing. But many builtin firejail profiles do use netfilter with the system network namespace. Also, is there some set of netfilter files available to use? For instance, it would be nice to have a netfilter for email clients parameterized by one's email provider.

gitea-mirror closed this issue

2026-05-05 08:44:34 -06:00

gitea-mirror commented

2026-05-05 08:44:36 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 30, 2020):

Because we don't know the iface names on the user system, we can't enable a new network namespace (also has a few other downsites). But if a user adds it in his locals, netfilter is automatic applied, so IMHO it is not bad to put it in profiles even if it has no effect.

@rusty-snake commented on GitHub (Mar 30, 2020): Because we don't know the iface names on the user system, we can't enable a new network namespace (also has a few other downsites). But if a user adds it in his locals, netfilter is automatic applied, so IMHO it is not bad to put it in profiles even if it has no effect.

gitea-mirror commented

2026-05-05 08:44:37 -06:00

Author

Owner

@netblue30 commented on GitHub (Apr 2, 2020):

Also, is there some set of netfilter files available to use?

So far we have 3 of them:

https://github.com/netblue30/firejail/blob/master/etc/nolocal.net

https://github.com/netblue30/firejail/blob/master/etc/tcpserver.net

https://github.com/netblue30/firejail/blob/master/etc/webserver.net

For instance, it would be nice to have a netfilter for email clients parameterized by one's email provider.

Look at tcpserver.net, you can pass a parameter from the command line. In that example:

firejail --net=eth0 --netfilter=/etc/firejail/tcpserver.net,5001 server-program

5001 is the port in the server listens.

@netblue30 commented on GitHub (Apr 2, 2020): > Also, is there some set of netfilter files available to use? So far we have 3 of them: https://github.com/netblue30/firejail/blob/master/etc/nolocal.net https://github.com/netblue30/firejail/blob/master/etc/tcpserver.net https://github.com/netblue30/firejail/blob/master/etc/webserver.net > For instance, it would be nice to have a netfilter for email clients parameterized by one's email provider. Look at tcpserver.net, you can pass a parameter from the command line. In that example: ````` firejail --net=eth0 --netfilter=/etc/firejail/tcpserver.net,5001 server-program ````` 5001 is the port in the server listens.

gitea-mirror commented

2026-05-05 08:44:38 -06:00

Author

Owner

@netblue30 commented on GitHub (Apr 2, 2020):

Sorry, we have another one hardcoded in https://github.com/netblue30/firejail/blob/master/src/fnetfilter/main.c

This is the default filter we applied by "netfilter" command in the profiles. It is just a basic filter that doesn't allow incoming connections.

@netblue30 commented on GitHub (Apr 2, 2020): Sorry, we have another one hardcoded in https://github.com/netblue30/firejail/blob/master/src/fnetfilter/main.c This is the default filter we applied by "netfilter" command in the profiles. It is just a basic filter that doesn't allow incoming connections.

gitea-mirror commented

2026-05-05 08:44:39 -06:00

Author

Owner

@ghost commented on GitHub (Apr 5, 2020):

@jonleivent Feel free to close this if your question has been answered. Just doing another round of triaging the issues here to keep things manageable.

@ghost commented on GitHub (Apr 5, 2020): @jonleivent Feel free to close this if your question has been answered. Just doing another round of triaging the issues here to keep things manageable.

gitea-mirror commented

2026-05-05 08:44:40 -06:00

Author

Owner

@jonleivent commented on GitHub (Apr 5, 2020):

If I understand the interaction between net and netfilter options correctly, if a sandbox uses a new network namespace (net or netns option, other than of course --net=none) without any netfilter, then that bypasses any iptable firewall filtering the user may have on their computer outside of firejail. Is that correct?

If it is correct, then it's very important to have netfilter to apply a default firewall just in case someone uses net without adding their own netfilter. Maybe it's so important that there should be a default netfilter applied even when the netfilter option isn't used. Then, if the user wants less strictness than the default, they have to do so explicitly.

BTW, do you know of an email client netfilter? I'd prefer one that locks down the sandbox so that the email client within it can only talk to the designated email provider's servers. I am not an iptables expert, and it seems that almost all information I can google is about setting up servers, not clients. Then there's dealing with email provider server dns load balancing and TTL ip addresses. I'm not sure how to narrow down the ip address range of a big email provider, for instance gmail or comcast. So, it appears that setting up a very strict netfilter for clients is beyond my limited know-how.

@jonleivent commented on GitHub (Apr 5, 2020): If I understand the interaction between net and netfilter options correctly, if a sandbox uses a new network namespace (net or netns option, other than of course --net=none) without any netfilter, then that bypasses any iptable firewall filtering the user may have on their computer outside of firejail. Is that correct? If it is correct, then it's **very important** to have netfilter to apply a default firewall just in case someone uses net without adding their own netfilter. Maybe it's so important that there should be a default netfilter applied even when the netfilter option isn't used. Then, if the user wants less strictness than the default, they have to do so explicitly. BTW, do you know of an email **client** netfilter? I'd prefer one that locks down the sandbox so that the email client within it can only talk to the designated email provider's servers. I am not an iptables expert, and it seems that almost all information I can google is about setting up servers, not clients. Then there's dealing with email provider server dns load balancing and TTL ip addresses. I'm not sure how to narrow down the ip address range of a big email provider, for instance gmail or comcast. So, it appears that setting up a very strict netfilter for clients is beyond my limited know-how.

gitea-mirror commented

2026-05-05 08:44:41 -06:00

Author

Owner

@rusty-snake commented on GitHub (May 6, 2020):

@jonleivent Any progress on this?

@rusty-snake commented on GitHub (May 6, 2020): @jonleivent Any progress on this?

gitea-mirror commented

2026-05-05 08:44:41 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 4, 2020):

I'm closing here due to inactivity, please fell free to reopen if you have more questions.

@rusty-snake commented on GitHub (Jun 4, 2020): I'm closing here due to inactivity, please fell free to reopen if you have more questions.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2075

No description provided.

Rows
Columns