github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #6820] netfilter: Error: the sandbox doesn't use a new network namespace #3384

New issue

Closed

opened 2026-05-05 09:57:27 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 09:57:27 -06:00

Owner

Originally created by @osevan on GitHub (Jul 12, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6820

dear community,

my php-fpm read-only / sandbox not applying iptables via netfilter option inside profile anymore...

firejail --netfilter.print=2355
Switching to pid 2356, the first child process inside the sandbox
Error: the sandbox doesn't use a new network namespace

firejail --version
firejail version 0.9.75

Compile time support:
- always force nonewprivs support is disabled
- AppArmor support is enabled
- AppImage support is enabled
- chroot support is enabled
- D-BUS proxy support is enabled
- file transfer support is enabled
- IDS support is disabled
- Landlock support is enabled
- networking support is enabled
- output logging is enabled
- overlayfs support is disabled
- private-home support is enabled
- private-lib support is enabled
- private-cache and tmpfs as user enabled
- sandbox check is enabled
- SELinux support is disabled
- user namespace support is enabled
- X11 sandboxing support is enabled

my php fpm process listening on server 127.0.0.1:9001

should i listen inside br0 subnetwork ? like 10.10.20.55?

can we have new flag for firejail like maclan , ipvlan for netfilter flag addition?

like :
################################
ipvlan l3mode (routed mode) or l2 mode for
netfilter /etc/firejail/tcpserver.net,9001
ip somerandomip
#################################

same with

################################
macvlan
netfilter /etc/firejail/tcpserver.net,9001
ip somerandomip
#################################

i can wget and curl everything inside sandbox -even netfilter flag is inside .profile

debian sid.

# Generic Firejail profile for servers started as root
#
# This profile is used as a default when starting the sandbox as root.
# Example:
#
#       $ sudo firejail
#       [sudo] password for netblue:
#       Reading profile /etc/firejail/server.profile
#       Reading profile /etc/firejail/disable-common.inc
#       Reading profile /etc/firejail/disable-programs.inc
#
#       ** Note: you can use --noprofile to disable server.profile **
#
#       Parent pid 5347, child pid 5348
#       The new log directory is /proc/5348/root/var/log
#       Child process initialized in 64.43 ms
#       root@debian:~#
#
# Customize the profile as usual. Examples: unbound.profile, fdns.profile.
# All the rules for regular user profiles apply with the exception of
# /usr/local/bin symlink redirection and firecfg tool. The redirection is disabled
# by default for root user.

# This file is overwritten after every install/update
# Persistent local customizations
include server.local
# Persistent global definitions
include globals.local

# generic server profile
# it allows /sbin and /usr/sbin directories - this is where servers are installed
# depending on your usage, you can enable some of the commands below:


blacklist /tmp/.X11-unix
blacklist /wayland-*
blacklist /tmp/nginx.sock
blacklist /tmp/nginx.pid
blacklist /tmp/client_temp
blacklist /tmp/fastcgi_temp
blacklist /tmp/proxy_temp
blacklist /tmp/scgi_temp
blacklist /tmp/uwsgi_temp


include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-write-mnt.inc
include disable-xdg.inc
include disable-proc.inc
include disable-X11.inc
include disable-shell.inc
include landlock-common.inc



noblacklist /opt/php-$PHPVERSIONSHORT/*
noblacklist /phpmod/
noblacklist /etc/resolv.conf
noblacklist /etc/nginx/
noblacklist /usr/local/mysql/bin/


read-only /
read-write /tmp


landlock.fs.execute /opt/php-$PHPVERSIONSHORT/sbin/php-fpm
landlock.fs.execute /opt/php-$PHPVERSIONSHORT/bin/php
landlock.fs.execute /opt/php-$PHPVERSIONSHORT/bin/php-cgi
landlock.fs.write /tmp
landlock.fs.write /opt/php-$PHPVERSIONSHORT/var/log/
#landlock.fs.write /var/spool/postfix/active
landlock.enforce

apparmor
caps.drop all
# ipc-namespace
#machine-id
netfilter /etc/firejail/tcpserver.net,9001
#net br0
dns 1.1.1.1
#ip 10.10.20.55
#ip 10.0.2.11

no3d
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo

#protocol unix,inet,inet6,netlink
#protocol unix,inet,netlink
seccomp
seccomp.block-secondary
#shell none

disable-mnt

private-bin php-fpm,php*

private-cache
private-dev


dbus-user none
dbus-system none

# deterministic-shutdown
#memory-deny-write-execute
#read-only /
#read-write /tmp
##writable-run-user
# writable-var
# writable-var-log

Originally created by @osevan on GitHub (Jul 12, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6820 dear community, my php-fpm read-only / sandbox not applying iptables via netfilter option inside profile anymore... firejail --netfilter.print=2355 Switching to pid 2356, the first child process inside the sandbox Error: the sandbox doesn't use a new network namespace firejail --version firejail version 0.9.75 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - IDS support is disabled - Landlock support is enabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-lib support is enabled - private-cache and tmpfs as user enabled - sandbox check is enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled my php fpm process listening on server 127.0.0.1:9001 should i listen inside br0 subnetwork ? like 10.10.20.55? can we have new flag for firejail like maclan , ipvlan for netfilter flag addition? like : ################################ ipvlan l3mode (routed mode) or l2 mode for netfilter /etc/firejail/tcpserver.net,9001 ip somerandomip ################################# same with ################################ macvlan netfilter /etc/firejail/tcpserver.net,9001 ip somerandomip ################################# i can wget and curl everything inside sandbox -even netfilter flag is inside .profile debian sid. ``` # Generic Firejail profile for servers started as root # # This profile is used as a default when starting the sandbox as root. # Example: # # $ sudo firejail # [sudo] password for netblue: # Reading profile /etc/firejail/server.profile # Reading profile /etc/firejail/disable-common.inc # Reading profile /etc/firejail/disable-programs.inc # # ** Note: you can use --noprofile to disable server.profile ** # # Parent pid 5347, child pid 5348 # The new log directory is /proc/5348/root/var/log # Child process initialized in 64.43 ms # root@debian:~# # # Customize the profile as usual. Examples: unbound.profile, fdns.profile. # All the rules for regular user profiles apply with the exception of # /usr/local/bin symlink redirection and firecfg tool. The redirection is disabled # by default for root user. # This file is overwritten after every install/update # Persistent local customizations include server.local # Persistent global definitions include globals.local # generic server profile # it allows /sbin and /usr/sbin directories - this is where servers are installed # depending on your usage, you can enable some of the commands below: blacklist /tmp/.X11-unix blacklist /wayland-* blacklist /tmp/nginx.sock blacklist /tmp/nginx.pid blacklist /tmp/client_temp blacklist /tmp/fastcgi_temp blacklist /tmp/proxy_temp blacklist /tmp/scgi_temp blacklist /tmp/uwsgi_temp include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc include disable-write-mnt.inc include disable-xdg.inc include disable-proc.inc include disable-X11.inc include disable-shell.inc include landlock-common.inc noblacklist /opt/php-$PHPVERSIONSHORT/* noblacklist /phpmod/ noblacklist /etc/resolv.conf noblacklist /etc/nginx/ noblacklist /usr/local/mysql/bin/ read-only / read-write /tmp landlock.fs.execute /opt/php-$PHPVERSIONSHORT/sbin/php-fpm landlock.fs.execute /opt/php-$PHPVERSIONSHORT/bin/php landlock.fs.execute /opt/php-$PHPVERSIONSHORT/bin/php-cgi landlock.fs.write /tmp landlock.fs.write /opt/php-$PHPVERSIONSHORT/var/log/ #landlock.fs.write /var/spool/postfix/active landlock.enforce apparmor caps.drop all # ipc-namespace #machine-id netfilter /etc/firejail/tcpserver.net,9001 #net br0 dns 1.1.1.1 #ip 10.10.20.55 #ip 10.0.2.11 no3d nodvd nogroups noinput nonewprivs noroot nosound notv nou2f novideo #protocol unix,inet,inet6,netlink #protocol unix,inet,netlink seccomp seccomp.block-secondary #shell none disable-mnt private-bin php-fpm,php* private-cache private-dev dbus-user none dbus-system none # deterministic-shutdown #memory-deny-write-execute #read-only / #read-write /tmp ##writable-run-user # writable-var # writable-var-log ```

gitea-mirror

2026-05-05 09:57:27 -06:00

closed this issue
added the
networking

notabug
labels

gitea-mirror commented

2026-05-05 09:57:30 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 12, 2025):

my php-fpm read-only / sandbox not applying iptables via netfilter option inside profile

Error: the sandbox doesn't use a new network namespace

@rusty-snake commented on GitHub (Jul 12, 2025): > my php-fpm read-only / sandbox not applying iptables via netfilter option inside profile > Error: the sandbox doesn't use a new network namespace

gitea-mirror commented

2026-05-05 09:57:30 -06:00

Author

Owner

@kmk3 commented on GitHub (Jul 13, 2025):

Basic debugging information is missing; please follow the bug report template:

https://github.com/netblue30/firejail/issues/new?template=bug_report.md

my php-fpm read-only / sandbox not applying iptables via netfilter option
inside profile

Error: the sandbox doesn't use a new network namespace

That is, use --net.

@kmk3 commented on GitHub (Jul 13, 2025): Basic debugging information is missing; please follow the bug report template: * <https://github.com/netblue30/firejail/issues/new?template=bug_report.md> > > my php-fpm read-only / sandbox not applying iptables via netfilter option > > inside profile > > > Error: the sandbox doesn't use a new network namespace That is, use `--net`.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3384

No description provided.

Rows
Columns