Category Archives: How To

Ars Technica: How to build your own VPN if you’re (rightfully) wary of commercial options

In the wake of this spring’s Senate ruling nixing FCC privacy regulations imposed on ISPs, you may be (even more) worried about how your data is used, misused, and abused. There have been a lot of opinions on this topic since, ranging from “the sky is falling” to “move along, citizen, nothing to see here.” The fact is, ISPs tend to be pretty unscrupulous, sometimes even ruthless, about how they gather and use their customers’ data. You may not be sure how it’s a problem if your ISP gives advertisers more info to serve ads you’d like to see—but what about when your ISP literally edits your HTTP traffic, inserting more ads and possibly breaking webpages?

With a Congress that has demonstrated its lack of interest in protecting you from your ISP, and ISPs that have repeatedly demonstrated a “whatever-we-can-get-away-with” attitude toward customers’ data privacy and integrity, it may be time to look into how to get your data out from under your ISP’s prying eyes and grubby fingers intact. To do that, you’ll need a VPN. more

Linux Mint Sandboxing Guide


Firejail is an easy to use sandbox that reduces the risk of security breaches by restricting the running environment of untrusted applications using seccomp-bpf and Linux namespaces.

The first seccomp/namespaces sandbox was built by Google for Chromium browser. It was released in 2012, replacing their existing SELinux sandbox. Shiny new technology, the sandbox flew under the radar gaining market share. By 2014 when Firejail project was started, Chromium browser was already running on 50% of Linux desktops. Today there are a small number of projects sandboxing browsers and other desktop applications using seccomp/namespaces technology. We are proud to be one of them.

From the beginning we realized the contradiction between security and comfort, and we made ease of use one of our main goals. We managed to achieve this goal without sacrificing the security functionality. We provide:

  • a simple method to start the sandbox from command line – prefix your application name with “firejail”, eg “firejail firefox”
  • full desktop integration – applications are sandboxed automatically when started by clicking on icons in file manager or desktop manager menus
  • an intuitive syntax for building advanced security profiles

    Our focus is GUI application sandboxing, with web browsers being the main target. The sandbox denies access to private files in user’s home directory. Inside the sandbox, Downloads directory and the browser configuration files are real, everything else is stored in a temporary filesystem and later discarded:

    Only Downloads directory is visible inside a sandboxed Firefox browser.

    This guide describes the steps necessary to install and configure Firejail sandbox on Linux Mint. Both Cinnamon and MATE desktop environments are supported. We provide similar support for all desktop managers.

    Continue reading

Joris_VR: Running Steam in Firejail on Debian

Running Steam in Firejail

Running Steam in Firejail

I figured out how to install Steam on Debian 8 (jessie). Not a big deal; lot’s of people have figured it out. In fact steam is available as a non-free Debian package.

However, I prefer to install Steam manually and run it inside Firejail. This article is a reminder to myself, in case I forget how I did it.

Hopefully this information will also be useful to someone else. But I guarantee nothing. This procedure works for me, on my computer, with the few games that I tested. It may or may not work for you. more

Linux Mint: Firejail as security sandbox for your programs

Firejail is an easy to use security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux kernel security features. It restricts what files and directories an application can access in your home directory and what access it has to system directories and system resources. Firejail is ideal for use with web browsers, desktop applications, and daemons/servers alike. more

OSTechNix: How To Improve The Linux System’s Security Using Firejail

Starting a networked sandbox

Starting a networked sandbox

As you already know, Linux kernel is secure by default. But, it doesn’t mean that the softwares on the Linux system are completely secure. Say for example, there is a possibility that any add-ons on your web browser may cause some serious security issues. While doing financial transactions over internet, some key logger may be active in browser which you are not aware of. Even though, we can’t completely give the bullet-proof security to our Linux box, we still can add an extra pinch of security using an application called Firejail. It is a security utility which can sandbox any such application and let it to run in a controlled environment. To put this simply, Firejail is a SUID (Set owner User ID up on execution) program that reduces the risk of security breaches by restricting the running environment of untrusted applications.

In this brief tutorial, we will discuss how to install firejail and use it to improve the Linux system’s security using Firejail. more…

Into The Void: Firejail with Tor HOWTO

A few years ago I created a set of scripts to start applications inside a linux namespace and automatically “Tor-ify” their network traffic. The main reason behind this effort was to provide some isolation and Tor support for applications that don’t have socks5 support, for example claws-mail. While this worked it was hard to keep adding sandboxing features like the ones firejail already provided. So I decided to take a look at how I could automatically send/receive traffic from a firejail-ed application through Tor. more…

Route Reflector Labs: Running Wireshark in a jail/sandbox

Wireshark running in a Firejail sandbox

Wireshark running in a Firejail sandbox

Firejail is a powerful tool which can be use to sandboxing lot of applications. By default Firejail provides profiles for Chrome, Firefox, Telegram and other famous applications. Wireshark is still missing.

We want to limit the interfaces a user can sniff. To be more specific, we want users capture from bridges interfaces only. more…