[GH-ISSUE #1085] option to expose only whitelisted ip:port:protocol into the sandbox #739

New issue

Closed

opened 2026-05-05 06:33:09 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 06:33:09 -06:00

Owner

Originally created by @ibukanov on GitHub (Jan 31, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1085

To restrict the sandbox networking it is nice to allow for the sandbox to reach only single ip:port:protocol outside the sandbox. My use case is to expose http proxy running on my laptop into the sandbox so the only connection to the outside world is through this proxy.

Currently it is possible with --netns and custom iptable rules, but that requires root.

Originally created by @ibukanov on GitHub (Jan 31, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1085 To restrict the sandbox networking it is nice to allow for the sandbox to reach only single ip:port:protocol outside the sandbox. My use case is to expose http proxy running on my laptop into the sandbox so the only connection to the outside world is through this proxy. Currently it is possible with --netns and custom iptable rules, but that requires root.

gitea-mirror

2026-05-05 06:33:09 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 06:33:16 -06:00

Author

Owner

@netblue30 commented on GitHub (Feb 1, 2017):

I would try a setup similar to this one: https://firejail.wordpress.com/documentation-2/basic-usage/#routed

Create a bridge and set an IP address:

$ sudo brctl addbr br0
$ sudo ifconfig br0 10.10.20.1/24

Make sure the bridge traffic is not routed on the network outside:

$ sudo echo "0" > /proc/sys/net/ipv4/ip_forward

Start a http proxy on 10.10.20.1
You also need a DNS proxy on 10.10.20.1. If you are running on Ubuntu, you already have one - it is probably listening only on 127.0.0.1, so you'll have to reconfigure it.
Start the sandbox:

$ firejail --net=br0 firefox

@netblue30 commented on GitHub (Feb 1, 2017): I would try a setup similar to this one: https://firejail.wordpress.com/documentation-2/basic-usage/#routed 1. Create a bridge and set an IP address: ````` $ sudo brctl addbr br0 $ sudo ifconfig br0 10.10.20.1/24 ````` 2. Make sure the bridge traffic is not routed on the network outside: ````` $ sudo echo "0" > /proc/sys/net/ipv4/ip_forward ````` 3. Start a http proxy on 10.10.20.1 4. You also need a DNS proxy on 10.10.20.1. If you are running on Ubuntu, you already have one - it is probably listening only on 127.0.0.1, so you'll have to reconfigure it. 5. Start the sandbox: ````` $ firejail --net=br0 firefox `````

gitea-mirror referenced this issue

2026-05-05 07:55:44 -06:00

[GH-ISSUE #2023] Cannot whitelist path in /run #1362

gitea-mirror referenced this issue

2026-05-05 09:16:57 -06:00

[GH-ISSUE #4310] Invalid whitelist path /local #2617