Is there a recommended workaround for using wlan interfaces with firejail?

[sakaki-]

Hi, many thanks for making this software available, it's an extremely useful tool!

I have been using firejail for a while now on my desktop machine with firefox, thunderbird etc. each running in its own xephyr X11 sandbox, with --net=eth0. Since this type of setup provides a good security boost to probably the most vulnerable components on most people's systems, I'd like to add instructions for using it to my EFI Install Guide on the Gentoo wiki.

However, I understand from the firejail manpage that the --net= option is incompatible with wlan interfaces. Since many users of my guide install to laptops with only WiFi, no Ethernet, my question is this: is there a recommended workaround for these cases? For example, can a tun interface be used in firejail, with packets being forwarded to the wlan via iptables rules, or something similar?

[netblue30]

Try this setup: https://firejail.wordpress.com/documentation-2/basic-usage/#routed

You would need to configure a bridge device and start the sandboxes on that bridge. You will also need to set iptables on the main system to do network address translation between the bridge and your wlan interface. I think if you change eth0 with wlan0 in that script it will work.

[sakaki-]

Thanks - I'll try that.