Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] Does 'netfilter=filename' affect the system firewall, eg UFW #1642

Closed
Irvinehimself opened this issue Nov 12, 2017 · 3 comments
Closed

[Question] Does 'netfilter=filename' affect the system firewall, eg UFW #1642

Irvinehimself opened this issue Nov 12, 2017 · 3 comments
Labels
question_old (Deprecated; use "needinfo" or "question" instead) Further information is requested

Comments

@Irvinehimself
Copy link
Contributor

As the title states: Does playing around with Firejail netfilters on a per application basis represent a safe way of learning about netfilter rules?

At the moment, I use the default UFW rules

 Default: deny (incoming), allow (outgoing), disabled (routed)

and am loathe to experiment with these settings until I have a better understanding of what I am doing

Thanks
Irvine

Ps, If if you are interested, I have attached zipped profiles for: bsdtar, cower, makepkg, ping and archaudit-report
Profiles.zip
@SkewedZeppelin
Copy link
Collaborator

SkewedZeppelin commented Nov 12, 2017
edited
Loading

I don't think Firejail ever directly interacts with UFW. And afaik UFW is just a fancy bash script to control iptables.

As for learning about iptables here are some nice writeups:

@SkewedZeppelin SkewedZeppelin added the question_old (Deprecated; use "needinfo" or "question" instead) Further information is requested label Nov 12, 2017
@netblue30
Copy link
Owner

Does 'netfilter=filename' affect the system firewall, eg UFW

No, Firejail doesn't touch your system firewall. It installs a new one in the sandbox if you use --net to start another network namespace. Each network namespace (system or sandbox) has its own firewall.

I'll start bringing in your profiles, thanks.

netblue30 pushed a commit that referenced this issue Nov 15, 2017
added ping profile, #1642
ca9fda5
netblue30 pushed a commit that referenced this issue Nov 15, 2017
bsdtar profile, #1642
e1a40d3
netblue30 pushed a commit that referenced this issue Nov 15, 2017
makepkg profile for Arch platform, #1642
d0ae074
netblue30 pushed a commit that referenced this issue Nov 15, 2017
archaudit-report and cower for Arch platforms, #1642
6c10737
netblue30 pushed a commit that referenced this issue Nov 15, 2017
merges, #1642
edc5d60
@netblue30
Copy link
Owner

all merged, thanks.

kmk3 added a commit to kmk3/firejail that referenced this issue Mar 28, 2023
@kmk3
cower: move blacklist from disable-programs to dc
d951648 
This is an AUR helper and disable-common.inc has entries for pacman and
other system package managers.

Added on commit 6c10737 ("archaudit-report and cower for Arch
platforms, netblue30#1642", 2017-11-15).
@kmk3 kmk3 mentioned this issue Mar 28, 2023
Merged
kmk3 added a commit to kmk3/firejail that referenced this issue Mar 28, 2023
@kmk3
cower: move blacklist from disable-programs to dc
7c18234 
This is an AUR helper and disable-common.inc has entries for pacman and
other system package managers.

Added on commit 6c10737 ("archaudit-report and cower for Arch
platforms, netblue30#1642", 2017-11-15).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question_old (Deprecated; use "needinfo" or "question" instead) Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@SkewedZeppelin @Irvinehimself @netblue30