[GH-ISSUE #3610] Toggle Network #2267

New issue

Closed

opened 2026-05-05 08:57:41 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 08:57:41 -06:00

Owner

Originally created by @ghost on GitHub (Aug 29, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3610

I've got a problematic application I jail. Predominantly I want its network access cut off but from time to time I do have to "unleash" the "_steam_ing" turd that it is. I've searched high and low as well as tried many things to "toggle" network access to no avail. Sadly steam will crash my X Session if I restart it so every time I restart it to switch net access it's a huge pain. Is there any way to toggle the network of/in a jail?

Originally created by @ghost on GitHub (Aug 29, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3610 I've got a problematic application I jail. Predominantly I want its network access cut off but from time to time I do have to "unleash" the "_steam_ing" turd that it is. I've searched high and low as well as tried many things to "toggle" network access to no avail. Sadly steam will crash my X Session if I restart it so every time I restart it to switch net access it's a huge pain. Is there any way to toggle the network of/in a jail?

gitea-mirror

2026-05-05 08:57:41 -06:00

closed this issue
added the
question_old
label

gitea-mirror commented

2026-05-05 08:57:43 -06:00

Author

Owner

@rusty-snake commented on GitHub (Aug 29, 2020):

TL;DR; Sadly, there is no such way.

Long story: You could use --net=<bridge> and control this bridge.

Possible workarounds: If you can not find the cause for the crash, it might not crash if you use X11 sandboxing (--x11=...). I belief I remember some HW-accel issues with xephr or xpra.

@rusty-snake commented on GitHub (Aug 29, 2020): TL;DR; Sadly, there is no such way. Long story: You could use `--net=<bridge>` and control this bridge. --- Possible workarounds: If you can not find the cause for the crash, it might not crash if you use X11 sandboxing (--x11=...). _I belief I remember some HW-accel issues with xephr or xpra._

gitea-mirror commented

2026-05-05 08:57:44 -06:00

Author

Owner

@ghost commented on GitHub (Aug 29, 2020):

I haven't thought about bridges in a long time. Comically a bit ago I was thinking about installing a crappy wifi USB dongle and forcing it to use that so I can kill it without killing the host network. I'll poke around I suppose. Just had hoped maybe there was a solution that wasn't overtly documented or obvious. It wouldn't be such an issue it it wasn't for steam crashing things. Either way thanks for the heads up!

As for the crash (which is out of scope/topic for here) with --x11 it fails to run at all. I has suspected the crashes are due to firejail somehow getting screwed up with GPU/PCIe bus issues (I run more than one GPU) however steam likes to do it even when unfirejailed. The off topic but relevant issues for me is that when I noticed Steam was updating things I didn't want it to I tried to remove write access to some games. Basically steam no longer allows you to not update which means broken versions of games can be pushed on you. So with things read only I should have been good...but I wasn't. Steam can escalate its privs to root and undo those perms so...FIREJAIL! Well that and an overlayFS. I've tried to use the Firejail overlayfs but it never works. My understanding is it should be able to see the lower FS but all writes go to a disposable "top" but it doesn't seem to show the underlying fs causing steam to try to download hundreds of gigs of data I already have. So I run a separate overlyfs that does work as intended. Rather frustrating to have so many moving parts when firejail --net=toggle --overlayfs should do it in 2 commands but there is no --net=toggle and the overlyfs 'dun werk! heh.

@ghost commented on GitHub (Aug 29, 2020): I haven't thought about bridges in a long time. Comically a bit ago I was thinking about installing a crappy wifi USB dongle and forcing it to use that so I can kill it without killing the host network. I'll poke around I suppose. Just had hoped maybe there was a solution that wasn't overtly documented or obvious. It wouldn't be such an issue it it wasn't for steam crashing things. Either way thanks for the heads up! As for the crash (which is out of scope/topic for here) with --x11 it fails to run at all. I has suspected the crashes are due to firejail somehow getting screwed up with GPU/PCIe bus issues (I run more than one GPU) however steam likes to do it even when unfirejailed. The off topic but relevant issues for me is that when I noticed Steam was updating things I didn't want it to I tried to remove write access to some games. Basically steam no longer allows you to *not* update which means broken versions of games can be pushed on you. So with things read only I should have been good...but I wasn't. Steam can escalate its privs to root and undo those perms so...FIREJAIL! Well that and an overlayFS. I've tried to use the Firejail overlayfs but it never works. My understanding is it should be able to see the lower FS but all writes go to a disposable "top" but it doesn't seem to show the underlying fs causing steam to try to download hundreds of gigs of data I already have. So I run a separate overlyfs that does work as intended. Rather frustrating to have so many moving parts when firejail --net=toggle --overlayfs should do it in 2 commands but there is no --net=toggle and the overlyfs 'dun werk! heh.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2267

No description provided.

Rows
Columns