github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1314] Tutorial / script for firejail Tor bridgers to make feature more accessible #896

New issue

Closed

opened 2026-05-05 07:05:11 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 07:05:11 -06:00

Owner

Originally created by @t4777sd on GitHub (May 26, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1314

It would be great if firejail included a tutorial or even a script to create tor bridges as per this guide that less technical users can use: https://www.void.gr/kargig/blog/2016/12/12/firejail-with-tor-howto/

I understand this is a technical program, but this is a pretty important feature, so it would be great if it was more accessible, so that more people can take advantage of this powerful feature.

I have tried to use that guide and it fails me. I am sure that many other users also have similar issues. I use Ubuntu the latest version. I copied the commands exactly while switching out eno1 with my connected network wifi device (wlp1s0).

Running "ifconfig" while not in a sandbox shows the "tornet" and if a sandbox program is running that uses tornet it shows the various "veth" items.

However, while inside the sandbox, host, curl, ping, etc, cannot make a connection to a domain or IP address.

Originally created by @t4777sd on GitHub (May 26, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1314 It would be great if firejail included a tutorial or even a script to create tor bridges as per this guide that less technical users can use: https://www.void.gr/kargig/blog/2016/12/12/firejail-with-tor-howto/ I understand this is a technical program, but this is a pretty important feature, so it would be great if it was more accessible, so that more people can take advantage of this powerful feature. I have tried to use that guide and it fails me. I am sure that many other users also have similar issues. I use Ubuntu the latest version. I copied the commands exactly while switching out eno1 with my connected network wifi device (wlp1s0). Running "ifconfig" while not in a sandbox shows the "tornet" and if a sandbox program is running that uses tornet it shows the various "veth" items. However, while inside the sandbox, host, curl, ping, etc, cannot make a connection to a domain or IP address.

gitea-mirror

2026-05-05 07:05:11 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 07:05:18 -06:00

Author

Owner

@gso commented on GitHub (May 29, 2017):

Have you tried an application with built in SOCKS support?

@gso commented on GitHub (May 29, 2017): Have you tried an application with built in SOCKS support?

gitea-mirror commented

2026-05-05 07:05:23 -06:00

Author

Owner

@t4777sd commented on GitHub (May 29, 2017):

You mean that let's you set a SOCKS proxy? Yes, I use that when the program offers it and it works normally. However, I wanted to use the torbridge method for programs that do not. Currently I am using proxychains, which was a method mentioned on this github.

However, able to use the torbridge would be ideal. Do you have any reason why it does not work? It fails in the first step of that blog post (before TOR-ifying the traffic). It appears the traffic is not NATed or something.

@t4777sd commented on GitHub (May 29, 2017): You mean that let's you set a SOCKS proxy? Yes, I use that when the program offers it and it works normally. However, I wanted to use the torbridge method for programs that do not. Currently I am using proxychains, which was a method mentioned on this github. However, able to use the torbridge would be ideal. Do you have any reason why it does not work? It fails in the first step of that blog post (before TOR-ifying the traffic). It appears the traffic is not NATed or something.

gitea-mirror commented

2026-05-05 07:05:23 -06:00

Author

Owner

@gso commented on GitHub (May 29, 2017):

Perhaps you could attach a comment asking if the author could explain.

The bridge should forward to localhost if there are no rules configured otherwise. At which point you can chain any proxy that can be made use of.

@gso commented on GitHub (May 29, 2017): Perhaps you could attach a comment asking if the author could explain. The bridge should forward to localhost if there are no rules configured otherwise. At which point you can chain any proxy that can be made use of.

gitea-mirror commented

2026-05-05 07:05:26 -06:00

Author

Owner

@t4777sd commented on GitHub (May 30, 2017):

I posted 2 times on the blog, but the author does not accept comments (they enter moderation queue and never get approved),so I think the author is MIA. I also ran iptables -S to verify that there were no other IP table rules.

I found this in the github that does work. It is not as elegant, but it is easy to make work: https://github.com/netblue30/firejail/issues/1160

For those users that cannot make the tor bridge work, which seems like quite a few, it might be useful to post this alternative method on the blog post that links to the tor bridge method blog post. At least that way users will have one solution that can work.

@t4777sd commented on GitHub (May 30, 2017): I posted 2 times on the blog, but the author does not accept comments (they enter moderation queue and never get approved),so I think the author is MIA. I also ran iptables -S to verify that there were no other IP table rules. I found this in the github that does work. It is not as elegant, but it is easy to make work: https://github.com/netblue30/firejail/issues/1160 For those users that cannot make the tor bridge work, which seems like quite a few, it might be useful to post this alternative method on the blog post that links to the tor bridge method blog post. At least that way users will have one solution that can work.

gitea-mirror commented

2026-05-05 07:05:29 -06:00

Author

Owner

@gso commented on GitHub (May 30, 2017):

It is some time since I ran that script myself but can confirm also that curl does not fetch the web page, it does not make sense that curl is fetching a web page over tor without using a socks proxy, so not surprising.

Not being a network security engineer I'm hesitant to post my own configuration, it would be better to encourage one of the distributions with the necessary expertise to package a solution.

There is a need for some sort of turnkey solution, firejail --net=... (i.e., with its own network namespace, denying X11 abstract Unix domain socket access) does not work with openvpn encryption or WiFi out of the box (both common use cases).

@gso commented on GitHub (May 30, 2017): It is some time since I ran that script myself but can confirm also that curl does not fetch the web page, it does not make sense that curl is fetching a web page over tor without using a `socks` proxy, so not surprising. Not being a network security engineer I'm hesitant to post my own configuration, it would be better to encourage one of the distributions with the necessary expertise to package a solution. There is a need for some sort of turnkey solution, `firejail --net=...` (i.e., with its own network namespace, denying X11 abstract Unix domain socket access) does not work with `openvpn` encryption or WiFi out of the box (both common use cases).

gitea-mirror commented

2026-05-05 07:05:31 -06:00

Author

Owner

@lesion commented on GitHub (Jul 19, 2017):

for future readers: we've found a nice solution to this problem and made an easy tool to implement it (https://torjail.github.io). the idea is using network namespace to avoid any leak, tecnically:

configure tor with this configuration

AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 10.0.0.1
DNSPort 5354
DNSListenAddress 10.0.0.1
SOCKSPort 0

then:

# create a new network namespace named torjail
ip netns add torjail

# create two virtual ethernet  interface
ip link add out-torjail type veth peer name in-torjail

# bind one interface to torjail network namespace
ip link set in-torjail netns torjail

# set interfaces ip and default routing
ip addr add 10.0.0.1/24 dev out-torjail
ip link set out-torjail up
ip netns exec torjail ip addr add 10.0.0.2/24 dev in-torjail
ip netns exec torjail ip link set in-torjail up
ip netns exec torjail ip route add default via 10.0.0.1

# forward all dns traffic to tor DNSPort
iptables -t nat -A  PREROUTING -i out-torjail -p udp -d 10.0.0.1 --dport 53 -j DNAT --to-destination 10.0.0.1:5354

# forward all traffic to tor TransPort
iptables -t nat -A  PREROUTING -i out-torjail -p tcp --syn -j DNAT --to-destination 10.0.0.1:9040

# accept established connection
iptables -A OUTPUT -m state -o out-torjail --state ESTABLISHED,RELATED -j ACCEPT

# accept only forwarded traffic
iptables -A INPUT -i out-torjail -p udp --destination 10.0.0.1 --dport 5354 -j ACCEPT
iptables -A INPUT -i out-torjail -p tcp --destination 10.0.0.1 --dport 9040 -j ACCEPT
iptables -A INPUT -i out-torjail -p udp --destination 10.0.0.1 --dport 9040 -j ACCEPT
iptables -A INPUT -i out-torjail -j DROP

# finally run firejail within torjail namespace
firejail --dns=10.0.0.1 --netns=torjail $YOUR_ANONYMOUS_COMMAND_HERE

comments appreciated:
https://torjail.github.io
https://github.com/torjail/torjail

@lesion commented on GitHub (Jul 19, 2017): for future readers: we've found a nice solution to this problem and made an easy tool to implement it (https://torjail.github.io). the idea is using network namespace to avoid any leak, tecnically: configure tor with this configuration ``` AutomapHostsOnResolve 1 TransPort 9040 TransListenAddress 10.0.0.1 DNSPort 5354 DNSListenAddress 10.0.0.1 SOCKSPort 0 ``` then: ``` # create a new network namespace named torjail ip netns add torjail # create two virtual ethernet interface ip link add out-torjail type veth peer name in-torjail # bind one interface to torjail network namespace ip link set in-torjail netns torjail # set interfaces ip and default routing ip addr add 10.0.0.1/24 dev out-torjail ip link set out-torjail up ip netns exec torjail ip addr add 10.0.0.2/24 dev in-torjail ip netns exec torjail ip link set in-torjail up ip netns exec torjail ip route add default via 10.0.0.1 # forward all dns traffic to tor DNSPort iptables -t nat -A PREROUTING -i out-torjail -p udp -d 10.0.0.1 --dport 53 -j DNAT --to-destination 10.0.0.1:5354 # forward all traffic to tor TransPort iptables -t nat -A PREROUTING -i out-torjail -p tcp --syn -j DNAT --to-destination 10.0.0.1:9040 # accept established connection iptables -A OUTPUT -m state -o out-torjail --state ESTABLISHED,RELATED -j ACCEPT # accept only forwarded traffic iptables -A INPUT -i out-torjail -p udp --destination 10.0.0.1 --dport 5354 -j ACCEPT iptables -A INPUT -i out-torjail -p tcp --destination 10.0.0.1 --dport 9040 -j ACCEPT iptables -A INPUT -i out-torjail -p udp --destination 10.0.0.1 --dport 9040 -j ACCEPT iptables -A INPUT -i out-torjail -j DROP # finally run firejail within torjail namespace firejail --dns=10.0.0.1 --netns=torjail $YOUR_ANONYMOUS_COMMAND_HERE ``` comments appreciated: https://torjail.github.io https://github.com/torjail/torjail

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#896

No description provided.

Rows
Columns