[Question] Does 'netfilter=filename' affect the system firewall, eg UFW

[Irvinehimself]

As the title states: Does playing around with Firejail netfilters on a per application basis represent a safe way of learning about netfilter rules?

At the moment, I use the default UFW rules

 Default: deny (incoming), allow (outgoing), disabled (routed)

and am loathe to experiment with these settings until I have a better understanding of what I am doing

Thanks Irvine

Ps, If if you are interested, I have attached zipped profiles for: bsdtar, cower, makepkg, ping and archaudit-report Profiles.zip

[SkewedZeppelin]

I don't think Firejail ever directly interacts with UFW. And afaik UFW is just a fancy bash script to control iptables.

As for learning about iptables here are some nice writeups:

• https://www.digitalocean.com/community/tutorials/how-to-choose-an-effective-firewall-policy-to-secure-your-servers
• https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture
• https://security.stackexchange.com/questions/4603/tips-for-a-secure-iptables-config-to-defend-from-attacks-client-side/4745#4745
• https://people.netfilter.org/hawk/presentations/devconf2014/iptables-ddos-mitigation_JesperBrouer.pdf (outdated! linux 4.4 features a lockless TCP listener)

[netblue30]

Does 'netfilter=filename' affect the system firewall, eg UFW

No, Firejail doesn't touch your system firewall. It installs a new one in the sandbox if you use --net to start another network namespace. Each network namespace (system or sandbox) has its own firewall.

I'll start bringing in your profiles, thanks.

[netblue30]

all merged, thanks.