Cannot access localhost services with --net

[YorkZ]

Hello Firejail Team,

I'm encountering an issue with Firejail that I'm hoping to get some insights into. I have a service running on my local system, accessible at http://localhost:4001. When running a curl command within Firejail without network namespace isolation, it works as expected. However, when I use the --net option to specify a network interface, the curl command can no longer access the localhost service.

Here's the summary of the command behavior:

• Working Command (without network namespace isolation):

firejail curl http://localhost:4001

• Not Working Command (with network namespace isolation):

firejail --net=<ETHERNET INTERFACE> curl http://localhost:4001

The expected behavior was that the curl command would be able to access the localhost service in both scenarios, but it appears that the --net option is causing some isolation beyond what I anticipated.

Could you please provide some guidance or suggestions on why this might be happening and how to configure Firejail to allow access to localhost services while using the --net option? I'm looking to maintain network isolation for the sandboxed applications but still need them to interact with certain local services.

Thank you in advance for your assistance!

Best regards,

York

[rusty-snake]

Search and Find: #108

TL;DR: Every network namespace has its own loopback interface. So 127.0.0.1 in the sandbox (network namespace) is not 127.0.0.1 outside of the sandbox (host's network namespace). And 10.0.0.1 inside the sandbox can be routed complete elsewhere as it would on the host. You have a unshared network namespace. The same is true for docker/podman and other tools.

Theoretical solutions are (Layer 4) port-forwarding or (Layer 3) access it over a private network you span between the host and the sandbox or access it over the public/external IP or forward using your firewall in different way.