Skip to content

netfilter: Error: the sandbox doesn't use a new network namespace #6820

New issue
New issue
Closed as not planned
Closed as not planned
netfilter: Error: the sandbox doesn't use a new network namespace#6820
Labels
networkingIssues related to networking features (--net=, etc)notabugThe behavior is as intended or the issue was caused by user error or by an old version
@osevan

Description

@osevan
osevan
opened on Jul 12, 2025

dear community,

my php-fpm read-only / sandbox not applying iptables via netfilter option inside profile anymore...

firejail --netfilter.print=2355
Switching to pid 2356, the first child process inside the sandbox
Error: the sandbox doesn't use a new network namespace

firejail --version
firejail version 0.9.75

Compile time support:
- always force nonewprivs support is disabled
- AppArmor support is enabled
- AppImage support is enabled
- chroot support is enabled
- D-BUS proxy support is enabled
- file transfer support is enabled
- IDS support is disabled
- Landlock support is enabled
- networking support is enabled
- output logging is enabled
- overlayfs support is disabled
- private-home support is enabled
- private-lib support is enabled
- private-cache and tmpfs as user enabled
- sandbox check is enabled
- SELinux support is disabled
- user namespace support is enabled
- X11 sandboxing support is enabled

my php fpm process listening on server 127.0.0.1:9001

should i listen inside br0 subnetwork ? like 10.10.20.55?

can we have new flag for firejail like maclan , ipvlan for netfilter flag addition?

like :
################################
ipvlan l3mode (routed mode) or l2 mode for
netfilter /etc/firejail/tcpserver.net,9001
ip somerandomip
#################################

same with

################################
macvlan
netfilter /etc/firejail/tcpserver.net,9001
ip somerandomip
#################################

i can wget and curl everything inside sandbox -even netfilter flag is inside .profile

debian sid.

# Generic Firejail profile for servers started as root
#
# This profile is used as a default when starting the sandbox as root.
# Example:
#
#       $ sudo firejail
#       [sudo] password for netblue:
#       Reading profile /etc/firejail/server.profile
#       Reading profile /etc/firejail/disable-common.inc
#       Reading profile /etc/firejail/disable-programs.inc
#
#       ** Note: you can use --noprofile to disable server.profile **
#
#       Parent pid 5347, child pid 5348
#       The new log directory is /proc/5348/root/var/log
#       Child process initialized in 64.43 ms
#       root@debian:~#
#
# Customize the profile as usual. Examples: unbound.profile, fdns.profile.
# All the rules for regular user profiles apply with the exception of
# /usr/local/bin symlink redirection and firecfg tool. The redirection is disabled
# by default for root user.

# This file is overwritten after every install/update
# Persistent local customizations
include server.local
# Persistent global definitions
include globals.local

# generic server profile
# it allows /sbin and /usr/sbin directories - this is where servers are installed
# depending on your usage, you can enable some of the commands below:


blacklist /tmp/.X11-unix
blacklist /wayland-*
blacklist /tmp/nginx.sock
blacklist /tmp/nginx.pid
blacklist /tmp/client_temp
blacklist /tmp/fastcgi_temp
blacklist /tmp/proxy_temp
blacklist /tmp/scgi_temp
blacklist /tmp/uwsgi_temp


include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-write-mnt.inc
include disable-xdg.inc
include disable-proc.inc
include disable-X11.inc
include disable-shell.inc
include landlock-common.inc



noblacklist /opt/php-$PHPVERSIONSHORT/*
noblacklist /phpmod/
noblacklist /etc/resolv.conf
noblacklist /etc/nginx/
noblacklist /usr/local/mysql/bin/


read-only /
read-write /tmp


landlock.fs.execute /opt/php-$PHPVERSIONSHORT/sbin/php-fpm
landlock.fs.execute /opt/php-$PHPVERSIONSHORT/bin/php
landlock.fs.execute /opt/php-$PHPVERSIONSHORT/bin/php-cgi
landlock.fs.write /tmp
landlock.fs.write /opt/php-$PHPVERSIONSHORT/var/log/
#landlock.fs.write /var/spool/postfix/active
landlock.enforce

apparmor
caps.drop all
# ipc-namespace
#machine-id
netfilter /etc/firejail/tcpserver.net,9001
#net br0
dns 1.1.1.1
#ip 10.10.20.55
#ip 10.0.2.11

no3d
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo

#protocol unix,inet,inet6,netlink
#protocol unix,inet,netlink
seccomp
seccomp.block-secondary
#shell none

disable-mnt

private-bin php-fpm,php*

private-cache
private-dev


dbus-user none
dbus-system none

# deterministic-shutdown
#memory-deny-write-execute
#read-only /
#read-write /tmp
##writable-run-user
# writable-var
# writable-var-log

Metadata

Metadata

Assignees

No one assigned

    Labels

    networkingIssues related to networking features (--net=, etc)notabugThe behavior is as intended or the issue was caused by user error or by an old version

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions