It’s not strictly an applicaton firewall, but I’ve had a bit of play with firejail. It doesn’t provide sophisticated network filtering like an application firewall may, but it can effectively disable all network access per application, except for that applications own private sandboxed localhost (isolated from even the host).
For example, this will prevent LibreWolf from having any network access (WAN, LAN and host), via --net=none:
firejail --net=none librewolf
Obviously, rendering LibreWolf largely useless, but I share that only as a proof of concept.
It could be useful for stuff that doesn’t need internet access, with the added benefits of sand-boxing the application using native Linux features.
The downside is, firejail can be quite restrictive and will break a lot of applications unless a profile is built per application. You can be quite selective in what applications use it though, it doesn’t have to be an all or nothing approach.
@Bink
Firejail looked so interesting for me. Trying it I had some issues. The browser did not download anything and libreoffice did not open any .docx file and even could not start it from the start menu (KDE, BTRFS).
It seems so restrictive.
Unless there is a specific setting or option to make it not that restrictive. I uninstalled and disabled it to get things working again as usual.
I wonder if there are specific options or settings for this.
That’s the point @Bink
I tried it a few days ago. I found it very restrictive.
I found I am unable to download anything with Brave browser, and clicking on any .docx file does not open it in Libreoffice, I couldn’t even launch Libreoffice from the start menu (KDE)! So I just uninstalled and reverted back to where I was before.
But, creating a specific profile for each app is not that practical. Maybe there is some setting that will make it less restrictive.
Looking at safeline. I wonder if there is any extra more than normal firewall?
firejail is supposed to be very restrictive. It isn’t intended for a casual user to “add more security”. It is for use cases where you want highly specific controls on a per application basis.
safeline is a web application firewall. That isn’t something you would normally run on a desktop.
Well creating a custom profile for applications using firejail is the recommended way to go. For example look at this (specifically Step 6: Creating Custom Profiles).
There is a package Firetools, which includes a Firejail GUI. That package is part of the extra repo of Arch packages.
The Firejail profile for Firefox-based browsers allows the application to interact with the ~/Downloads directory by default, but I took a look and it appears the profile for Chromium-based browsers does not. You would need to add it as a whitelisted directory in a local Firejail config.
~/.config/firejail/chromium-common.local
whitelist ${DOWNLOADS}
I agree that this is a case which seems overly restrictive because it breaks a fundamental feature of the application. I’m not sure if that is an oversight, or if there is some reason they set the profile up like that on purpose.
@limotux let us know how it goes with the Firejail GUI.
@BluishHumility if the firejail profile prevents the use of downloads directory and other directories under $HOME then it hardens the browser more, because it might prevent the ability to download and upload files. Thus preventing the spread of malware via attachments. Maybe it means that Firefox profile is more permissive compared to Chrome based browsers or in other words, it hardens Chrome based browsers more than it does Firefox.
The firetools UI is pretty basic, but it is proving helpful as one not yet fully familiar with the available options.
I’ve been able to get a number of previously problematic apps behaving well within firejail using the UI. At the moment, I’m taking the config firetools’s produces, and placing it in ~/.config/firejail/someapp.profile, replacing someapp there with the executable name of the app; eg: ~/.config/firejail/librewolf.profile (just an example, firejail’s default profile worked fine with LibreWolf).
Then testing from the terminal, I’d run:
firejail librewolf
I watch for errors and adjust the restrictions, sometimes by trial and error, until it launches without error.
If it fails to load the existing application profile, a whitelist can be added for as many directories are needed.
Eg:
First of all sorry for this very late reply. I just got busy.
But generally I did not try the GUI, I was trying to install just firejail and get it to secure my machine. But it seemed so problematic as it requires apparmor which was problematic. I don’t know why.
According to what I read the issue was with apparmor, both together didn’t play well.
I discovered there is another version of firejail without apparmor firejail-no-apparmor but unfortunately I see it orphaned. yay firejail-no-apparmor
1 aur/firejail-no-apparmor 0.9.70-1 (+3 0.00) (Orphaned) (Out-of-date: 2023-01-17)
Linux namespaces sandbox program, compiled without dependency to apparmor
==> Packages to install (eg: 1 2 3, 1-3 or ^4)
==>
`
I installed it anyway out of curiosity and it is working fine.
But I will still try to find better alterantive to firejail that does not require apparmor and works somehow like this orphaned version.
I noticed as it says “compiled without dependency to apparmor”, but I am no expert and don;t know how to compile the source code without dependence on apparmor.
I hope the experts here guide us with this, how to compile without apparmor.
I am also very much interested in this topic but when I read this statement I cannnot but think that is quite vague and doesn’t provide any information about what exactly was the problem.
Neither firejail nor apparmor are mandatory to use. As a matter of fact you need to install them both and in the case of apparmor, for it to be enabled, you need to add some kernel boot options to your kernel command line and enable apparmor.service.
Also, upon the installation of firejail, you will have a message in the terminal saying that you have to run the following command as root in order for firejail to be integrated with apparmor.
Without doing so, I suppose you could run firejail without apparmor integration.
I hope so too but I think they will need a bit more specific information on what you/me/we have already done or are trying to do to be able to guide us.
I used Firejail about 2 years ago I think. What I found is that for for some applications you have to create a desktop file to use since it didn’t work for all applications the way it says it does. I also found that for a lot of applications you have to add your own custom tweaks and some point it just gets annoying that you finally think you have everything working and then you run into something else. One issues I was never able to figure out was with Steam where all my games work except for one game that uses some form of anti-cheat supported by Steam/Proton, but with Firejail it refused to load not matter what you excluded or changed in your custom included profile. In short I find it too much time and effort to get it working for everything. I doubt that has changed since then.
I hope this make it clearer, plus I noticed that the setup I had firewall was not working all the time.
and as said, it was too restrictive, and the version that is working fine is orphaned unfortunately. So I decided I will uninstall it.
What I mostly wanted to mean, and I may have been a bit vague myself, was that how did you incorporate firejail and apparmor in your setup. In terms of enabling of apparmor in the kernel, integrating firejail in apprmor etc.
There are many moving parts that makes troubleshooting more complex.
Another question, what browser did you try with firejail? How did you launch it?
@cactux It wasn’t me. It was firejail itself that needs or uses apparmor. you might notice I said I found another verison (orphaned) that is said was compiled without AppArmor. Check yay yourself.
I am on Brave browser, I have an icon on the tool bar and in the start menu as well. It launcehd but firejail limited only to access the /Downloads folder only. I generally use the browser to read my PDF files as well, but I couldn’t becaus they were in another folder.
It was too restrictive, and as said, playing with it, and testing with commands I noticed it didn’t even work all the time. The problems was with the default one not with the other one (the orphaned).
