github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #645] "netfilter" enabled by default #450

New issue
Closed
opened 2026-05-05 05:53:15 -06:00 by gitea-mirror · 13 comments
gitea-mirror commented 2026-05-05 05:53:15 -06:00
Owner
Copy link

Originally created by @ghost on GitHub (Jul 24, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/645

Since I have my own custom rules for iptables, I decided to edit each profile in /etc/firejail and remove the "netfilter" entries for each one of them. Then I stumped upon "nolocal" which is where the rules are stored.

So instead of removing every "netfilter" line from the profiles, would simply making the "nolocal" file blank suffice to make the applications follow my global iptables rules?

Originally created by @ghost on GitHub (Jul 24, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/645 Since I have my own custom rules for iptables, I decided to edit each profile in /etc/firejail and remove the "netfilter" entries for each one of them. Then I stumped upon "nolocal" which is where the rules are stored. So instead of removing every "netfilter" line from the profiles, would simply making the "nolocal" file blank suffice to make the applications follow my global iptables rules?
gitea-mirror 2026-05-05 05:53:15 -06:00
gitea-mirror commented 2026-05-05 05:53:20 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jul 24, 2016):

When a new network namespace is created, it doesn't automatically inherit netfilter configuration from the main network namespace. Instead, netfilter in the new namespace has an empty configuration - all traffic allowed.

This is what I can do:

When starting the sandbox as a user, most profiles will set a netfilter configuration hardcoded in the program. I can add an entry in /etc/firejail/firejail.config and allow you to overwrite this default configuration with one you specify, something like:

default-netfilter somefile

Will this work for you?

<!-- gh-comment-id:234774453 --> @netblue30 commented on GitHub (Jul 24, 2016): When a new network namespace is created, it doesn't automatically inherit netfilter configuration from the main network namespace. Instead, netfilter in the new namespace has an empty configuration - all traffic allowed. This is what I can do: When starting the sandbox as a user, most profiles will set a netfilter configuration hardcoded in the program. I can add an entry in /etc/firejail/firejail.config and allow you to overwrite this default configuration with one you specify, something like: ``` default-netfilter somefile ``` Will this work for you?
gitea-mirror commented 2026-05-05 05:53:23 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jul 24, 2016):

Will this work for you?

Wouldn't that be a redundancy? Because the system is already using a system-wide configuration at /etc/iptables/iptables.rules, regardless if the program is ran via firejail or not [1]. The same would happen if the user runs ufw or similar programs.

I think a configuration like "netfilter-handling=none" in /etc/firejail/firejail.conf that would override any "netfilter" entry on the profiles would be more appropriate, making the program unable to do anything firewall related (dealing only with the sandbox part).

But to be honest, I think the perfect solution would be asking (via CLI, upon installing firejail) if the user wants firejail to handle iptables. Something like this:

Would you want firejail to handle your Firewall for sandboxed programs? If you're NOT an advanced user, you can simply say "Yes" (Y) and we'll take care of everything for you. If you already have a Firewall configuration in place, just say "No" (N) and we let you in charge of it".

[1] https://raw.githubusercontent.com/amarildojr/Firewall/master/rules

<!-- gh-comment-id:234779479 --> @ghost commented on GitHub (Jul 24, 2016): > Will this work for you? Wouldn't that be a redundancy? Because the system is already using a system-wide configuration at /etc/iptables/iptables.rules, regardless if the program is ran via firejail or not [1]. The same would happen if the user runs ufw or similar programs. I think a configuration like "netfilter-handling=none" in /etc/firejail/firejail.conf that would override any "netfilter" entry on the profiles would be more appropriate, making the program unable to do anything firewall related (dealing only with the sandbox part). But to be honest, I think the perfect solution would be asking (via CLI, upon installing firejail) if the user wants firejail to handle iptables. Something like this: > Would you want firejail to handle your Firewall for sandboxed programs? If you're NOT an advanced user, you can simply say "Yes" (Y) and we'll take care of everything for you. If you already have a Firewall configuration in place, just say "No" (N) and we let you in charge of it". [1] https://raw.githubusercontent.com/amarildojr/Firewall/master/rules
gitea-mirror commented 2026-05-05 05:53:25 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jul 24, 2016):

No, the kernel doesn't care about system wide configuration rules. Every time it creates a network namespace, the filter is empty. So, when you create the namespace, you need to tell the kernel everytihing: IP addresses, default gateway and netfilter configuration.

<!-- gh-comment-id:234798538 --> @netblue30 commented on GitHub (Jul 24, 2016): No, the kernel doesn't care about system wide configuration rules. Every time it creates a network namespace, the filter is empty. So, when you create the namespace, you need to tell the kernel everytihing: IP addresses, default gateway and netfilter configuration.
gitea-mirror commented 2026-05-05 05:53:28 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jul 24, 2016):

So it would be OK to use "default-netfilter" and point it to "/etc/iptables.iptables.rules"?
Or is it simpler to edit the "nolocal.net" file and set it as an exact copy of my iptables.rules?

Whichever is easier for both of us, please let me know :)

<!-- gh-comment-id:234801148 --> @ghost commented on GitHub (Jul 24, 2016): So it would be OK to use "default-netfilter" and point it to "/etc/iptables.iptables.rules"? Or is it simpler to edit the "nolocal.net" file and set it as an exact copy of my iptables.rules? Whichever is easier for both of us, please let me know :)
gitea-mirror commented 2026-05-05 05:53:30 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jul 24, 2016):

Yes, you'll be able to use "default-netfilter" and point it to "/etc/iptables/iptables.rules", and it will be global over the system. As soon as firejail starts, it will load it. I'll have the fix in the next few days, it is very easy, and I think it could be useful to some other people.

<!-- gh-comment-id:234801838 --> @netblue30 commented on GitHub (Jul 24, 2016): Yes, you'll be able to use "default-netfilter" and point it to "/etc/iptables/iptables.rules", and it will be global over the system. As soon as firejail starts, it will load it. I'll have the fix in the next few days, it is very easy, and I think it could be useful to some other people.
gitea-mirror commented 2026-05-05 05:53:35 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jul 24, 2016):

Thank you! :D

<!-- gh-comment-id:234804081 --> @ghost commented on GitHub (Jul 24, 2016): Thank you! :D
gitea-mirror commented 2026-05-05 05:53:37 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jul 24, 2016):

BTW, what will happen to "nolocal.net"? It can simply stay there?

<!-- gh-comment-id:234804101 --> @ghost commented on GitHub (Jul 24, 2016): BTW, what will happen to "nolocal.net"? It can simply stay there?
gitea-mirror commented 2026-05-05 05:53:38 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jul 25, 2016):

People still can use it: "firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox" and you get a browser without access on the local network. If somebody breaks into the browser, there will be no connectivity on the local network.

<!-- gh-comment-id:234982860 --> @netblue30 commented on GitHub (Jul 25, 2016): People still can use it: "firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox" and you get a browser without access on the local network. If somebody breaks into the browser, there will be no connectivity on the local network.
gitea-mirror commented 2026-05-05 05:53:39 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jul 28, 2016):

All set in git, you can try it.

<!-- gh-comment-id:235919348 --> @netblue30 commented on GitHub (Jul 28, 2016): All set in git, you can try it.
gitea-mirror commented 2026-05-05 05:53:41 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jul 29, 2016):

Thanks, but it didn't work for me.

This is the "off.rules" I'll be referencing on firejail.conf:

Generated by iptables-save v1.6.0 on Thu Jul 28 23:56:39 2016

*filter
:INPUT DROP [3:218]
:FORWARD DROP [0:0]
:OUTPUT DROP [112:6832]
COMMIT

Completed on Thu Jul 28 23:56:39 2016

Firejail.conf:

netfilter-default /etc/iptables/off.rules

It seems that firejail can't override what is already being managed by iptables.service, which loads my "out.conf" (see my Firewall repo).

<!-- gh-comment-id:236083583 --> @ghost commented on GitHub (Jul 29, 2016): Thanks, but it didn't work for me. This is the "off.rules" I'll be referencing on firejail.conf: > # Generated by iptables-save v1.6.0 on Thu Jul 28 23:56:39 2016 > > *filter > :INPUT DROP [3:218] > :FORWARD DROP [0:0] > :OUTPUT DROP [112:6832] > COMMIT > > # Completed on Thu Jul 28 23:56:39 2016 Firejail.conf: > netfilter-default /etc/iptables/off.rules It seems that firejail can't override what is already being managed by iptables.service, which loads my "out.conf" (see my Firewall repo).
gitea-mirror commented 2026-05-05 05:53:42 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jul 29, 2016):

How do you start the sandbox? Are you using --net command?

<!-- gh-comment-id:236185288 --> @netblue30 commented on GitHub (Jul 29, 2016): How do you start the sandbox? Are you using --net command?
gitea-mirror commented 2026-05-05 05:53:45 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Aug 10, 2016):

Sorry for the late reply.

I had forgotten about that switch. It works :)
Thank you a lot for listening the community and implementing features so quickly. Not a lot of developers do that.

Cheers!

<!-- gh-comment-id:238767781 --> @ghost commented on GitHub (Aug 10, 2016): Sorry for the late reply. I had forgotten about that switch. It works :) Thank you a lot for listening the community and implementing features so quickly. Not a lot of developers do that. Cheers!
gitea-mirror commented 2026-05-05 05:53:46 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Aug 10, 2016):

No problem, let me know if you need anything else, at this point new features are easy to add.

<!-- gh-comment-id:238854411 --> @netblue30 commented on GitHub (Aug 10, 2016): No problem, let me know if you need anything else, at this point new features are easy to add.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#450
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?