github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3427] Can we have an option to block access to 127.0.0.1 and/or other internal only IP addresses? #2153

New issue
Closed
opened 2026-05-05 08:49:44 -06:00 by gitea-mirror · 18 comments
gitea-mirror commented 2026-05-05 08:49:44 -06:00
Owner
Copy link

Originally created by @ilikenwf on GitHub (May 21, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3427

This is a pretty big issue as far as security is concerned as some websites fingerprint...and stuff...by using websockets to 127.0.0.1 looking for various ports:

https://nullsweep.com/why-is-this-website-port-scanning-me/

When I'm on a trusted network I can use a namespace, but when I'm moving around and using a VPN, this is not possible.

Originally created by @ilikenwf on GitHub (May 21, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3427 This is a pretty big issue as far as security is concerned as some websites fingerprint...and stuff...by using websockets to 127.0.0.1 looking for various ports: https://nullsweep.com/why-is-this-website-port-scanning-me/ When I'm on a trusted network I can use a namespace, but when I'm moving around and using a VPN, this is not possible.
gitea-mirror commented 2026-05-05 08:49:46 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 21, 2020):

I think this is only possible by using network namespaces. Without net/netns is would break your hole system.

In order to protect against those websites, you should use uBlock origin and/or uMatrix
uBlock origin: (||127.*$third-party or ||127.0.^$important,third-party) and ||localhost^$important,third-party
uMatrix: whitelist JS and block all third-party stuff.

I'm using |ws:// (unencrypted websockets) for over a year without issues

<!-- gh-comment-id:632176889 --> @rusty-snake commented on GitHub (May 21, 2020): I think this is only possible by using network namespaces. Without `net`/`netns` is would break your hole system. --- In order to protect against those websites, you should use uBlock origin and/or uMatrix uBlock origin: (`||127.*$third-party` or `||127.0.^$important,third-party`) and `||localhost^$important,third-party` uMatrix: whitelist JS and block all third-party stuff. _I'm using `|ws://` (unencrypted websockets) for over a year without issues_
gitea-mirror commented 2026-05-05 08:49:47 -06:00
Author
Owner
Copy link

@ilikenwf commented on GitHub (May 21, 2020):

@rusty-snake I can confirm after testing that those ubo filters work...this person wrote up an article and provided a proof of concept with a websocket port scanner:

https://medium.com/@stestagg/stealing-secrets-from-developers-using-websockets-254f98d577a0

The scanner (resource heavy):
http://frontend-overflowstack.com/

<!-- gh-comment-id:632321244 --> @ilikenwf commented on GitHub (May 21, 2020): @rusty-snake I can confirm after testing that those ubo filters work...this person wrote up an article and provided a proof of concept with a websocket port scanner: https://medium.com/@stestagg/stealing-secrets-from-developers-using-websockets-254f98d577a0 The scanner (resource heavy): http://frontend-overflowstack.com/
gitea-mirror commented 2026-05-05 08:49:47 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (May 21, 2020):

Those uBO rules don't prevent the issue when a scanner uses a domain that points to localhost instead due to CORS.

+1 for uMatrix however.

-----Original Message-----
From: rusty-snake notifications@github.com
Reply-To: netblue30/firejail reply@reply.github.com
To: netblue30/firejail firejail@noreply.github.com
Cc: Subscribed subscribed@noreply.github.com
Subject: Re: [netblue30/firejail] Can we have an option to block access to 127.0.0.1 and/or other internal only IP addresses? (#3427)
Date: Thu, 21 May 2020 09:01:08 -0700

I think this is only possible by using network namespaces. Without net/netns is would break your hole system.

In order to protect against those websites, you should use uBlock origin and/or uMatrix
uBlock origin: (||127.*$third-party or ||127.0.^$important,third-party) and ||localhost^$important,third-party
uMatrix: whitelist JS and block all third-party stuff.

I'm using |ws:// (unencrypted websockets) for over a year without issues

<!-- gh-comment-id:632329491 --> @SkewedZeppelin commented on GitHub (May 21, 2020): Those uBO rules don't prevent the issue when a scanner uses a domain that points to localhost instead due to CORS. +1 for uMatrix however. -----Original Message----- From: rusty-snake <notifications@github.com> Reply-To: netblue30/firejail <reply@reply.github.com> To: netblue30/firejail <firejail@noreply.github.com> Cc: Subscribed <subscribed@noreply.github.com> Subject: Re: [netblue30/firejail] Can we have an option to block access to 127.0.0.1 and/or other internal only IP addresses? (#3427) Date: Thu, 21 May 2020 09:01:08 -0700 I think this is only possible by using network namespaces. Without `net`/`netns` is would break your hole system. --- In order to protect against those websites, you should use uBlock origin and/or uMatrix uBlock origin: (`||127.*$third-party` or `||127.0.^$important,third-party`) and `||localhost^$important,third-party` uMatrix: whitelist JS and block all third-party stuff. _I'm using `|ws://` (unencrypted websockets) for over a year without issues_
gitea-mirror commented 2026-05-05 08:49:48 -06:00
Author
Owner
Copy link

@ts1a commented on GitHub (May 21, 2020):

What about disabling websockets in uBO? *$websocket

And if you want to add exceptions you can do it this way: *$websocket,denyallow=twitch.tv

<!-- gh-comment-id:632334410 --> @ts1a commented on GitHub (May 21, 2020): What about disabling websockets in uBO? `*$websocket` And if you want to add exceptions you can do it this way: `*$websocket,denyallow=twitch.tv`
gitea-mirror commented 2026-05-05 08:49:50 -06:00
Author
Owner
Copy link

@ilikenwf commented on GitHub (May 21, 2020):

What about disabling websockets in uBO? *$websocket

And if you want to add exceptions you can do it this way: *$websocket,denyallow=twitch.tv

Sounds like a good case for an addon of some kind really...I wonder if the default of "privacy oriented origin policy" would already mitigate it.

<!-- gh-comment-id:632341384 --> @ilikenwf commented on GitHub (May 21, 2020): > What about disabling websockets in uBO? `*$websocket` > > And if you want to add exceptions you can do it this way: `*$websocket,denyallow=twitch.tv` Sounds like a good case for an addon of some kind really...I wonder if the default of "privacy oriented origin policy" would already mitigate it.
gitea-mirror commented 2026-05-05 08:49:51 -06:00
Author
Owner
Copy link

@ilikenwf commented on GitHub (May 21, 2020):

The websocket filter in uBO doesn't work for me, I may have something else managing CSP?

<!-- gh-comment-id:632343505 --> @ilikenwf commented on GitHub (May 21, 2020): The websocket filter in uBO doesn't work for me, I may have something else managing CSP?
gitea-mirror commented 2026-05-05 08:49:52 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 28, 2020):

block access to 127.0.0.1

This will break things like dnsmasq, Xorg (depending on setup), ...

<!-- gh-comment-id:635298300 --> @rusty-snake commented on GitHub (May 28, 2020): > block access to 127.0.0.1 This will break things like dnsmasq, Xorg (depending on setup), ...
gitea-mirror commented 2026-05-05 08:49:53 -06:00
Author
Owner
Copy link

@ilikenwf commented on GitHub (May 29, 2020):

It would be optional...but it looks like uBO is working on a fix anyway.

<!-- gh-comment-id:636037262 --> @ilikenwf commented on GitHub (May 29, 2020): It would be optional...but it looks like uBO is working on a fix anyway.
gitea-mirror commented 2026-05-05 08:49:53 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 29, 2020):

https://privacy-handbuch.de/handbuch_21g.htm has now also good lists.

<!-- gh-comment-id:636057777 --> @rusty-snake commented on GitHub (May 29, 2020): https://privacy-handbuch.de/handbuch_21g.htm has now also good lists.
gitea-mirror commented 2026-05-05 08:49:54 -06:00
Author
Owner
Copy link

@curiosityseeker commented on GitHub (May 31, 2020):

https://privacy-handbuch.de/handbuch_21g.htm has now also good lists.

Yes, but according to @gorhill, @gwarser 's list is better.

<!-- gh-comment-id:636445448 --> @curiosityseeker commented on GitHub (May 31, 2020): > https://privacy-handbuch.de/handbuch_21g.htm has now also good lists. Yes, but [according](https://www.wilderssecurity.com/threads/ublock-a-lean-and-fast-blocker.365273/page-178#post-2919399) to @gorhill, @gwarser 's [list](https://raw.githubusercontent.com/gwarser/filter-lists/master/lan-block.txt) is better.
gitea-mirror commented 2026-05-05 08:49:54 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (May 31, 2020):

Some explanations why Privacy Handbuch filters are bad: https://github.com/uBlockOrigin/uBlock-issues/issues/1070#issuecomment-634706689
Some questions about further improvements of my list: https://github.com/uBlockOrigin/uBlock-issues/issues/1070#issuecomment-636483139

<!-- gh-comment-id:636499877 --> @ghost commented on GitHub (May 31, 2020): Some explanations why Privacy Handbuch filters are bad: https://github.com/uBlockOrigin/uBlock-issues/issues/1070#issuecomment-634706689 Some questions about further improvements of my list: https://github.com/uBlockOrigin/uBlock-issues/issues/1070#issuecomment-636483139
gitea-mirror commented 2026-05-05 08:49:55 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 31, 2020):

Thanks, however I already block any third-party request with uMatrix.

<!-- gh-comment-id:636501473 --> @rusty-snake commented on GitHub (May 31, 2020): Thanks, however I already block any third-party request with uMatrix.
gitea-mirror commented 2026-05-05 08:49:55 -06:00
Author
Owner
Copy link

@ilikenwf commented on GitHub (Jun 1, 2020):

So here's a question...could firejail implement a system to allow a prioritized whitelist of network interfaces to use, and automatically switch between them?

Like, if I list tun0, wlan0, eth0 in that order, firejail will poll and detect when one or more of these is up, and if it had been using one of the others, switch to the one of highest priority that is available...

This would support the use of network namespaces while also making firejail less a pain in the ass when one is switching network contexts regularly.

Even if not automatic, it could just detect changes to the routing table and stop all network access for the application(s) using this feature, and trigger a notification or something via dbus, allowing a desktop notification, so that the user can close the application and reopen it for the new network to be used.

<!-- gh-comment-id:637001115 --> @ilikenwf commented on GitHub (Jun 1, 2020): So here's a question...could firejail implement a system to allow a prioritized whitelist of network interfaces to use, and automatically switch between them? Like, if I list tun0, wlan0, eth0 in that order, firejail will poll and detect when one or more of these is up, and if it had been using one of the others, switch to the one of highest priority that is available... This would support the use of network namespaces while also making firejail less a pain in the ass when one is switching network contexts regularly. Even if not automatic, it could just detect changes to the routing table and stop all network access for the application(s) using this feature, and trigger a notification or something via dbus, allowing a desktop notification, so that the user can close the application and reopen it for the new network to be used.
gitea-mirror commented 2026-05-05 08:49:55 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 1, 2020):

Like, if I list tun0, wlan0, eth0 in that order, firejail will poll and detect when one or more of these is up, and if it had been using one of the others, switch to the one of highest priority that is available...

Should be possible

This would support the use of network namespaces while also making firejail less a pain in the ass when one is switching network contexts regularly.

Maybe a bridge can help you here for now.

<!-- gh-comment-id:637004690 --> @rusty-snake commented on GitHub (Jun 1, 2020): > Like, if I list tun0, wlan0, eth0 in that order, firejail will poll and detect when one or more of these is up, and if it had been using one of the others, switch to the one of highest priority that is available... Should be possible > This would support the use of network namespaces while also making firejail less a pain in the ass when one is switching network contexts regularly. Maybe a bridge can help you here for now.
gitea-mirror commented 2026-05-05 08:49:56 -06:00
Author
Owner
Copy link

@ilikenwf commented on GitHub (Jun 1, 2020):

Except tun0 doesn't necessarily always exist, and I'm not sure a bridge can be created using a not presently existing interface.

<!-- gh-comment-id:637009739 --> @ilikenwf commented on GitHub (Jun 1, 2020): Except tun0 doesn't necessarily always exist, and I'm not sure a bridge can be created using a not presently existing interface.
gitea-mirror commented 2026-05-05 08:49:56 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 1, 2020):

I mean running a script when changing network connection (NetworkManager can do this automatic).

<!-- gh-comment-id:637015732 --> @rusty-snake commented on GitHub (Jun 1, 2020): I mean running a script when changing network connection (NetworkManager can do this automatic).
gitea-mirror commented 2026-05-05 08:49:57 -06:00
Author
Owner
Copy link

@ilikenwf commented on GitHub (Jun 1, 2020):

I didn't realize networkmanager could handle a bridge in conjunction
with vpn...

Guess I'll have to check the docs...

On 6/1/20 12:58 PM, rusty-snake wrote:

I mean running a script when changing network connection
(NetworkManager can do this automatic).


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/3427#issuecomment-637015732,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AADFIOSZSOFYP3ELJLK54ZDRUPT3RANCNFSM4NG6DPSQ.

<!-- gh-comment-id:637016725 --> @ilikenwf commented on GitHub (Jun 1, 2020): I didn't realize networkmanager could handle a bridge in conjunction with vpn... Guess I'll have to check the docs... On 6/1/20 12:58 PM, rusty-snake wrote: > > I mean running a script when changing network connection > (NetworkManager can do this automatic). > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <https://github.com/netblue30/firejail/issues/3427#issuecomment-637015732>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AADFIOSZSOFYP3ELJLK54ZDRUPT3RANCNFSM4NG6DPSQ>. >
gitea-mirror commented 2026-05-05 08:49:57 -06:00
Author
Owner
Copy link

@cabonamigo commented on GitHub (Jun 4, 2020):

What I do is block 127.x.x.x entirely on iptables or nft, I only open with a rule for specific location:port paiir, I think this would be better done there (ipt and nft), just assign a ip for it and use the same ip, and block it.

<!-- gh-comment-id:639168868 --> @cabonamigo commented on GitHub (Jun 4, 2020): What I do is block 127.x.x.x entirely on iptables or nft, I only open with a rule for specific location:port paiir, I think this would be better done there (ipt and nft), just assign a ip for it and use the same ip, and block it.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2153
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?