github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #6760] firefox: program not in sync with network adapter changes (VPN) #3358

New issue
Open
opened 2026-05-05 09:56:22 -06:00 by gitea-mirror · 14 comments
gitea-mirror commented 2026-05-05 09:56:22 -06:00
Owner
Copy link

Originally created by @aminvakil on GitHub (May 28, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6760

Description

Firefox does not pick network adapter changes (vpn connection / disconnection) and still uses old IP in new network interface.

Steps to Reproduce

Open firefox and connect a VPN system-wide.
Or connect a VPN system-wide, open firefox and then disconnect VPN.

Expected behavior

Use correct IP address in each interface.

Actual behavior

Firefox gets disconnected. I've checked using wireshark and it's using previous IP in new interface.
For example my wifi IP is 192.168.1.2/24 and my VPN local IP is 10.0.0.2/24, when I connect VPN, it uses 192.168.1.2/24 in vpn network interface.
It does not get fixed until a complete restart.
It happens the same when disconnecting, it uses 10.0.0.2/24 in wifi interface which does not work.

Behavior without a profile

$ LC_ALL=C firejail --noprofile /usr/bin/firefox 
firejail version 0.9.74

Parent pid 9617, child pid 9618
Base filesystem installed in 0.04 ms
Child process initialized in 19.94 ms
[3] Sandbox: CanCreateUserNamespace() clone() failure: EPERM

Additional context

I cannot remember exactly when this starts to happen, about a couple of months ago
https://bugzilla.mozilla.org/show_bug.cgi?id=1960897

Environment

  • Name/version/arch of the Linux kernel: Linux 6.14.8-hardened1-1-hardened x86_64
  • Name/version of the Linux distribution: Arch Linux
  • Name/version of the relevant program(s)/package(s): firefox 139.0-1
  • Version of Firejail: firejail version 0.9.74
  • If you use a development version of firejail, also the commit from which it
    was compiled (git rev-parse HEAD): No

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /usr/bin/firefox 

$ LC_ALL=C firejail /usr/bin/firefox 
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.74

Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow.
To enable DBus filtering, install the xdg-dbus-proxy program.
Ignoring "dbus-user.own org.mozilla.*" and 2 other dbus-user filter rules.
Parent pid 9092, child pid 9093
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 61.84 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Base filesystem installed in 138.45 ms
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Child process initialized in 290.38 ms
[40] Sandbox: CanCreateUserNamespace() clone() failure: EPERM

Output of LC_ALL=C firejail --debug /usr/bin/firefox

It's outputing lots of details from system which I prefer not to share publicly.

Originally created by @aminvakil on GitHub (May 28, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6760 ### Description Firefox does not pick network adapter changes (vpn connection / disconnection) and still uses old IP in new network interface. ### Steps to Reproduce Open firefox and connect a VPN system-wide. Or connect a VPN system-wide, open firefox and then disconnect VPN. ### Expected behavior Use correct IP address in each interface. ### Actual behavior Firefox gets disconnected. I've checked using wireshark and it's using previous IP in new interface. For example my wifi IP is 192.168.1.2/24 and my VPN local IP is 10.0.0.2/24, when I connect VPN, it uses 192.168.1.2/24 in vpn network interface. It does not get fixed until a complete restart. It happens the same when disconnecting, it uses 10.0.0.2/24 in wifi interface which does not work. ### Behavior without a profile ``` $ LC_ALL=C firejail --noprofile /usr/bin/firefox firejail version 0.9.74 Parent pid 9617, child pid 9618 Base filesystem installed in 0.04 ms Child process initialized in 19.94 ms [3] Sandbox: CanCreateUserNamespace() clone() failure: EPERM ``` ### Additional context I cannot remember exactly when this starts to happen, about a couple of months ago https://bugzilla.mozilla.org/show_bug.cgi?id=1960897 ### Environment - Name/version/arch of the Linux kernel: Linux 6.14.8-hardened1-1-hardened x86_64 - Name/version of the Linux distribution: Arch Linux - Name/version of the relevant program(s)/package(s): firefox 139.0-1 - Version of Firejail: firejail version 0.9.74 - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`): No ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /usr/bin/firefox</code></summary> <p> ``` $ LC_ALL=C firejail /usr/bin/firefox Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.74 Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow. To enable DBus filtering, install the xdg-dbus-proxy program. Ignoring "dbus-user.own org.mozilla.*" and 2 other dbus-user filter rules. Parent pid 9092, child pid 9093 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Private /etc installed in 61.84 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Base filesystem installed in 138.45 ms Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior. Child process initialized in 290.38 ms [40] Sandbox: CanCreateUserNamespace() clone() failure: EPERM ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /usr/bin/firefox</code></summary> <p> It's outputing lots of details from system which I prefer not to share publicly. </p> </details>
gitea-mirror added the
networking
 label 2026-05-05 09:56:22 -06:00
gitea-mirror commented 2026-05-05 09:56:24 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (May 28, 2025):

Firefox does not pick network adapter changes (vpn connection /
disconnection) and still uses old IP in new network interface.

Does it work with the following in ~/.config/firejail/firefox.local?

ignore net
ignore private-dev
<!-- gh-comment-id:2916031541 --> @kmk3 commented on GitHub (May 28, 2025): > Firefox does not pick network adapter changes (vpn connection / > disconnection) and still uses old IP in new network interface. Does it work with the following in ~/.config/firejail/firefox.local? ``` ignore net ignore private-dev ```
gitea-mirror commented 2026-05-05 09:56:25 -06:00
Author
Owner
Copy link

@aminvakil commented on GitHub (May 28, 2025):

No, the problem is the same, I can still see previous IP in new interface in wireshark.

I can also confirm it's reading config

$ LC_ALL=C firejail /usr/bin/firefox 
Reading profile /etc/firejail/firefox.profile
Reading profile /home/username/.config/firejail/firefox.local
Reading profile /etc/firejail/firefox-common.profile
...
<!-- gh-comment-id:2916239494 --> @aminvakil commented on GitHub (May 28, 2025): No, the problem is the same, I can still see previous IP in new interface in wireshark. I can also confirm it's reading config ``` $ LC_ALL=C firejail /usr/bin/firefox Reading profile /etc/firejail/firefox.profile Reading profile /home/username/.config/firejail/firefox.local Reading profile /etc/firejail/firefox-common.profile ... ```
gitea-mirror commented 2026-05-05 09:56:26 -06:00
Author
Owner
Copy link

@aminvakil commented on GitHub (May 28, 2025):

Firefox does not pick network adapter changes (vpn connection /
disconnection) and still uses old IP in new network interface.

Does it work with the following in ~/.config/firejail/firefox.local?

ignore net
ignore private-dev

Ah, it's working indeed, it just does not pick DNS changes, as DNS server in VPN network is not available it does not work.

But when I browse an IP, it uses correct IP.

<!-- gh-comment-id:2916263852 --> @aminvakil commented on GitHub (May 28, 2025): > > Firefox does not pick network adapter changes (vpn connection / > > disconnection) and still uses old IP in new network interface. > > Does it work with the following in ~/.config/firejail/firefox.local? > > ``` > ignore net > ignore private-dev > ``` Ah, it's working indeed, it just does not pick DNS changes, as DNS server in VPN network is not available it does not work. But when I browse an IP, it uses correct IP.
gitea-mirror commented 2026-05-05 09:56:27 -06:00
Author
Owner
Copy link

@pranaovs commented on GitHub (Jun 8, 2025):

Network connectivity to firefox is disconnected when I stop my VPN (TUN/TAP interface).

Flow:

  1. Turn on VPN
  2. Launch firefox
  3. Turn off VPN

I have to relaunch firefox if i want to continue using it without a VPN interface.

How do i allow firefox to continue working even if network interfaces change?

I have already tried ignore net and ignore private-dev but in vain.

<!-- gh-comment-id:2954197198 --> @pranaovs commented on GitHub (Jun 8, 2025): Network connectivity to firefox is disconnected when I stop my VPN (TUN/TAP interface). Flow: 1. Turn on VPN 2. Launch firefox 3. Turn off VPN I have to relaunch firefox if i want to continue using it without a VPN interface. How do i allow firefox to continue working even if network interfaces change? I have already tried `ignore net` and `ignore private-dev` but in vain.
gitea-mirror commented 2026-05-05 09:56:28 -06:00
Author
Owner
Copy link

@aminvakil commented on GitHub (Jun 9, 2025):

@pranaovs Can you check browsing an IP? My problem has been fixed with ignore net and ignore private-dev, but DNS is not getting changed, which I think it's most probably because of firefox not picking up changes.

<!-- gh-comment-id:2956215118 --> @aminvakil commented on GitHub (Jun 9, 2025): @pranaovs Can you check browsing an IP? My problem has been fixed with `ignore net` and `ignore private-dev`, but DNS is not getting changed, which I think it's most probably because of firefox not picking up changes.
gitea-mirror commented 2026-05-05 09:56:29 -06:00
Author
Owner
Copy link

@aminvakil commented on GitHub (Jun 9, 2025):

Firefox does pick up changes in /etc/resolv.conf when VPN gets connected / disconnected when it has been run without firejail.

<!-- gh-comment-id:2956243262 --> @aminvakil commented on GitHub (Jun 9, 2025): Firefox does pick up changes in /etc/resolv.conf when VPN gets connected / disconnected when it has been run without firejail.
gitea-mirror commented 2026-05-05 09:56:29 -06:00
Author
Owner
Copy link

@pranaovs commented on GitHub (Jun 9, 2025):

Can you check browsing an IP? My problem has been fixed with ignore net and ignore private-dev, but DNS is not getting changed, which I think it's most probably because of firefox not picking up changes.

Okay this is interesting. I am able to enter ip addresses of sites and firefox is able to connect to those ip addresses.
Some cases, the ip is being redirected to the (correct) domain name and firefox fails (example, 1.1.1.1 -> one.one.one.one and 1.1.1.2 -> https://one.one.one.one/family), and in some cases, the websites don't redirect and I get some HTML back (example 96.7.128.198).

I am not able to find a simple website i can test connecting using just the IP. But i can confirm I'm able to reach because I get various errors like "Cloudflare: direct connection not allowed" or some other errors.

But this works even without ignore net and ignore private-dev

Interestingly, if i enable maximum protection in firefox DNS setting, it says DNS is active, but thats all. No improvements.

It's not DNS
There's no way it's DNS
It was DNS
-SSBroski

<!-- gh-comment-id:2956477445 --> @pranaovs commented on GitHub (Jun 9, 2025): > Can you check browsing an IP? My problem has been fixed with `ignore net` and `ignore private-dev`, but DNS is not getting changed, which I think it's most probably because of firefox not picking up changes. Okay this is interesting. I am able to enter ip addresses of sites and firefox is able to connect to those ip addresses. Some cases, the ip is being redirected to the (correct) domain name and firefox fails (example, 1.1.1.1 -> one.one.one.one and 1.1.1.2 -> https://one.one.one.one/family), and in some cases, the websites don't redirect and I get some HTML back (example 96.7.128.198). I am not able to find a simple website i can test connecting using just the IP. But i can confirm I'm able to reach because I get various errors like "Cloudflare: direct connection not allowed" or some other errors. But this works even without `ignore net` and `ignore private-dev` Interestingly, if i enable maximum protection in firefox DNS setting, it says DNS is active, but thats all. No improvements. _It's not DNS There's no way it's DNS It was DNS -SSBroski_
gitea-mirror commented 2026-05-05 09:56:31 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 9, 2025):

Interestingly, if i enable maximum protection in firefox DNS setting, it says DNS is active, but thats all. No improvements.

OT: Because Firefox still uses the system DNS to initialy resolve the configured DoH server domain.

<!-- gh-comment-id:2956485301 --> @rusty-snake commented on GitHub (Jun 9, 2025): > Interestingly, if i enable maximum protection in firefox DNS setting, it says DNS is active, but thats all. No improvements. OT: Because Firefox still uses the system DNS to initialy resolve the configured DoH server domain.
gitea-mirror commented 2026-05-05 09:56:31 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Jun 9, 2025):

Potential duplicate of:

<!-- gh-comment-id:2956672357 --> @kmk3 commented on GitHub (Jun 9, 2025): Potential duplicate of: * #3649
gitea-mirror commented 2026-05-05 09:56:32 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Jun 9, 2025):

Does it work with the following in ~/.config/firejail/firefox.local?

ignore net
ignore private-dev
ignore private-etc

Was this working with a previous version of firefox/firejail?

If so, which versions?

Also, what is the name/version of the system dns manager?

<!-- gh-comment-id:2956679222 --> @kmk3 commented on GitHub (Jun 9, 2025): Does it work with the following in ~/.config/firejail/firefox.local? ``` ignore net ignore private-dev ignore private-etc ``` Was this working with a previous version of firefox/firejail? If so, which versions? Also, what is the name/version of the system dns manager?
gitea-mirror commented 2026-05-05 09:56:34 -06:00
Author
Owner
Copy link

@pranaovs commented on GitHub (Jun 9, 2025):

Does it work with the following in ~/.config/firejail/firefox.local?

ignore net
ignore private-dev
ignore private-etc

It works with these lines in firefox.local. I am able to disconnect my active VPN connection and still have firefox work. Thank you very much.

Mozilla Firefox 139.0.1

$ firejail --version
firejail version 0.9.74

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- IDS support is disabled
	- Landlock support is enabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-lib support is disabled
	- private-cache and tmpfs as user enabled
	- sandbox check is enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Also, what is the name/version of the system dns manager?

I don't know how to find that so here's a bunch of logs:

$ resolvectl
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: foreign
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net
                      2001:4860:4860::8888#dns.google

Link 2 (enp0s31f6)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
     Default Route: no

Link 3 (wlan0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.100.1
       DNS Servers: 192.168.100.1 8.8.8.8 4.4.4.4
     Default Route: yes

$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.100.1
nameserver 8.8.8.8
nameserver 4.4.4.4
<!-- gh-comment-id:2956731219 --> @pranaovs commented on GitHub (Jun 9, 2025): > Does it work with the following in ~/.config/firejail/firefox.local? > > ``` > ignore net > ignore private-dev > ignore private-etc > ``` > It works with these lines in firefox.local. I am able to disconnect my active VPN connection and still have firefox work. Thank you very much. Mozilla Firefox 139.0.1 ```console $ firejail --version firejail version 0.9.74 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - IDS support is disabled - Landlock support is enabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-lib support is disabled - private-cache and tmpfs as user enabled - sandbox check is enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` > Also, what is the name/version of the system dns manager? I don't know how to find that so here's a bunch of logs: ```console $ resolvectl Global Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: foreign Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google Link 2 (enp0s31f6) Current Scopes: none Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported Default Route: no Link 3 (wlan0) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6 Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 192.168.100.1 DNS Servers: 192.168.100.1 8.8.8.8 4.4.4.4 Default Route: yes ``` ```console $ cat /etc/resolv.conf # Generated by NetworkManager nameserver 192.168.100.1 nameserver 8.8.8.8 nameserver 4.4.4.4 ```
gitea-mirror commented 2026-05-05 09:56:34 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Jun 9, 2025):

It works with these lines in firefox.local. I am able to disconnect my active
VPN connection and still have firefox work. Thank you very much.

Glad it worked!

Also, what is the name/version of the system dns manager?

I don't know how to find that so here's a bunch of logs:

$ resolvectl
[...]

$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.100.1
nameserver 8.8.8.8
nameserver 4.4.4.4

What is the distribution name/version?

What is the output of the following?

resolvectl --version
ls -l /etc/resolv.conf

Depending on the file type, this could also be related to:

<!-- gh-comment-id:2956767802 --> @kmk3 commented on GitHub (Jun 9, 2025): > It works with these lines in firefox.local. I am able to disconnect my active > VPN connection and still have firefox work. Thank you very much. Glad it worked! > > Also, what is the name/version of the system dns manager? > > I don't know how to find that so here's a bunch of logs: > > ``` > $ resolvectl > [...] > ``` > > ``` > $ cat /etc/resolv.conf > # Generated by NetworkManager > nameserver 192.168.100.1 > nameserver 8.8.8.8 > nameserver 4.4.4.4 > ``` What is the distribution name/version? What is the output of the following? ```sh resolvectl --version ls -l /etc/resolv.conf ``` Depending on the file type, this could also be related to: * #4545
gitea-mirror commented 2026-05-05 09:56:34 -06:00
Author
Owner
Copy link

@pranaovs commented on GitHub (Jun 9, 2025):

What is the distribution name/version

Arch Linux

What is the output of the following?

$ resolvectl --version
systemd 257 (257.6-1-arch)
+PAM +AUDIT -SELINUX -APPARMOR -IMA +IPE +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +BTF +XKBCOMMON +UTMP -SYSVINIT +LIBARCHIVE

$ ls -l /etc/resolv.conf
-rw-r--r-- 1 root root 88 Jun 10 00:51 /etc/resolv.conf
<!-- gh-comment-id:2956772520 --> @pranaovs commented on GitHub (Jun 9, 2025): > What is the distribution name/version Arch Linux > What is the output of the following? ```console $ resolvectl --version systemd 257 (257.6-1-arch) +PAM +AUDIT -SELINUX -APPARMOR -IMA +IPE +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +BTF +XKBCOMMON +UTMP -SYSVINIT +LIBARCHIVE ``` ```console $ ls -l /etc/resolv.conf -rw-r--r-- 1 root root 88 Jun 10 00:51 /etc/resolv.conf ```
gitea-mirror commented 2026-05-05 09:56:35 -06:00
Author
Owner
Copy link

@aminvakil commented on GitHub (Jun 10, 2025):

Does it work with the following in ~/.config/firejail/firefox.local?

ignore net
ignore private-dev
ignore private-etc

Yes, adding ignore net and ignore private-dev fixed the issue with IP as I've stated in https://github.com/netblue30/firejail/issues/6760#issuecomment-2916263852.

And adding ignore private-etc fixed the issue for DNS as well. I check specific domains / subdomains which are only resolvalbe through VPN to make sure.

Was this working with a previous version of firefox/firejail?

Yes, but I can't pinpoint to exact firefox / firejal version which triggered this change, it was a couple of months ago.

If so, which versions?

Also, what is the name/version of the system dns manager?

I'm using NetworkManager and my VPN is getting activated through NetworkManager as well which changes resolv.conf directly.

It's not a symlink (i.e. I'm not using systemd-resolved).

Arch Linux
networkmanager 1.52.0
firefox 139.0.1
firejail 0.9.74
<!-- gh-comment-id:2958369198 --> @aminvakil commented on GitHub (Jun 10, 2025): > Does it work with the following in ~/.config/firejail/firefox.local? > > ``` > ignore net > ignore private-dev > ignore private-etc > ``` Yes, adding `ignore net` and `ignore private-dev` fixed the issue with IP as I've stated in https://github.com/netblue30/firejail/issues/6760#issuecomment-2916263852. And adding `ignore private-etc` fixed the issue for DNS as well. I check specific domains / subdomains which are only resolvalbe through VPN to make sure. > > Was this working with a previous version of firefox/firejail? Yes, but I can't pinpoint to exact firefox / firejal version which triggered this change, it was a couple of months ago. > > If so, which versions? > > Also, what is the name/version of the system dns manager? I'm using NetworkManager and my VPN is getting activated through NetworkManager as well which changes resolv.conf directly. It's not a symlink (i.e. I'm not using systemd-resolved). ``` Arch Linux networkmanager 1.52.0 firefox 139.0.1 firejail 0.9.74 ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3358
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?