Red Hat: Benchmarking nftables

[…] To me, the most prominent information to draw from this little experiment is that similar iptables and nftables setups are comparable in performance. Yes, nftables is usually a bit behind, but given that development focus at this point is still on functionality rather than performance, I’m sure this is subject to change in the near future.

Regarding scalability, ipset is a blessing to any iptables set up. Nftables follow the path with their native implementation of sets and take the concept to a higher level by extending the list of supported data types and allowing it to be used in further applications using (verdict) maps. more

Joris_VR: Running Steam in Firejail on Debian

Running Steam in Firejail

Running Steam in Firejail

I figured out how to install Steam on Debian 8 (jessie). Not a big deal; lot’s of people have figured it out. In fact steam is available as a non-free Debian package.

However, I prefer to install Steam manually and run it inside Firejail. This article is a reminder to myself, in case I forget how I did it.

Hopefully this information will also be useful to someone else. But I guarantee nothing. This procedure works for me, on my computer, with the few games that I tested. It may or may not work for you. more

Linux Mint: Firejail as security sandbox for your programs

Firejail is an easy to use security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux kernel security features. It restricts what files and directories an application can access in your home directory and what access it has to system directories and system resources. Firejail is ideal for use with web browsers, desktop applications, and daemons/servers alike. more

OSTechNix: How To Improve The Linux System’s Security Using Firejail

Starting a networked sandbox

Starting a networked sandbox

As you already know, Linux kernel is secure by default. But, it doesn’t mean that the softwares on the Linux system are completely secure. Say for example, there is a possibility that any add-ons on your web browser may cause some serious security issues. While doing financial transactions over internet, some key logger may be active in browser which you are not aware of. Even though, we can’t completely give the bullet-proof security to our Linux box, we still can add an extra pinch of security using an application called Firejail. It is a security utility which can sandbox any such application and let it to run in a controlled environment. To put this simply, Firejail is a SUID (Set owner User ID up on execution) program that reduces the risk of security breaches by restricting the running environment of untrusted applications.

In this brief tutorial, we will discuss how to install firejail and use it to improve the Linux system’s security using Firejail. more…

Into The Void: Firejail with Tor HOWTO

A few years ago I created a set of scripts to start applications inside a linux namespace and automatically “Tor-ify” their network traffic. The main reason behind this effort was to provide some isolation and Tor support for applications that don’t have socks5 support, for example claws-mail. While this worked it was hard to keep adding sandboxing features like the ones firejail already provided. So I decided to take a look at how I could automatically send/receive traffic from a firejail-ed application through Tor. more…

Route Reflector Labs: Running Wireshark in a jail/sandbox

Wireshark running in a Firejail sandbox

Wireshark running in a Firejail sandbox

Firejail is a powerful tool which can be use to sandboxing lot of applications. By default Firejail provides profiles for Chrome, Firefox, Telegram and other famous applications. Wireshark is still missing.

We want to limit the interfaces a user can sniff. To be more specific, we want users capture from bridges interfaces only. more…