DNS problem with "--net=eth0"

daedalus-rwx commented 5 months ago

Description

The Jail don't access internet due to DNS problems. The problems appear to be related to the system's "resolvectl" service.

Steps to Reproduce

$ firejail --noprofile --net=eth0 /bin/bash

Inside the jail: tests --> results

$ IF=$(ip -o link show | awk -F': ' '/: eth/{print $2; exit}' | cut -d'@' -f1)    # network namespace interface name with pid suffix (e.g.: eth0-1234)

$ resolvectl query bbc.co.uk        # --> OK
$ resolvectl query bbc.co.uk -i $IF # --> OK
$ host bbc.co.uk            # --> error 
$ ping -I $IF -c 2 -q bbc.co.uk     # --> error
$ dig bbc.co.uk             # --> error (connection refused)
$ dig bbc.co.uk @1.1.1.1        # --> error (timeout - no servers could be reached)
$ dig bbc.co.uk @8.8.8.8        # --> error (timeout - no servers could be reached)
$ nslookup bbc.co.uk            # --> error (connection refused)
$ tracepath -b bbc.co.uk        # --> error

Out of the jail

on system shell: tests --> results

$ IF=$(ip -o link show | awk -F': ' '/: eth/{print $2; exit}' | cut -d'@' -f1)      # network interface name (e.g.: eth0)

$ resolvectl query bbc.co.uk            # --> OK
$ resolvectl query bbc.co.uk -i $IF     # --> OK
$ host bbc.co.uk                # --> OK
$ ping -I $IF -c 2 -q bbc.co.uk         # --> OK
$ dig bbc.co.uk                 # --> OK
$ dig bbc.co.uk @1.1.1.1            # --> OK
$ dig bbc.co.uk @8.8.8.8            # --> OK
$ nslookup bbc.co.uk                # --> OK
$ tracepath -b bbc.co.uk            # --> OK

Additional context 01

$ firejail --profile=firefox --net=eth0 /bin/bash

Inside the jail with firefox profile: tests --> results

$ IF=$(ip -o link show | awk -F': ' '/: eth/{print $2; exit}' | cut -d'@' -f1)     # network namespace interface name with pid suffix (e.g.: eth0-1234)

$ resolvectl query bbc.co.uk            # --> error (permission danied)
$ resolvectl query bbc.co.uk -i $IF     # --> error (permission danied)
$ host bbc.co.uk                # --> error (permission danied)
$ ping -I $IF -c 2 -q bbc.co.uk         # --> error (operation not permitted)
$ dig bbc.co.uk                 # --> error (permission danied)
$ dig bbc.co.uk @1.1.1.1            # --> error (permission danied)
$ dig bbc.co.uk @8.8.8.8            # --> error (permission danied)
$ nslookup bbc.co.uk                # --> error (permission danied)
$ tracepath -b bbc.co.uk            # --> error (Temporary failure in name resolution)

Additional context 02

$ firejail --noprofile /bin/bash

Inside the jail without `--net=eth0`: tests --> results

$ IF=$(ip -o link show | awk -F': ' '/: eth/{print $2; exit}' | cut -d'@' -f1)   # network namespace interface name with pid suffix (e.g.: eth0-1234)

$ resolvectl query bbc.co.uk            # --> OK
$ resolvectl query bbc.co.uk -i $IF     # --> OK
$ host bbc.co.uk                # --> OK
$ ping -I $IF -c 2 -q bbc.co.uk         # --> OK
$ dig bbc.co.uk                 # --> OK
$ dig bbc.co.uk @1.1.1.1            # --> OK
$ dig bbc.co.uk @8.8.8.8            # --> OK
$ nslookup bbc.co.uk                # --> OK
$ tracepath -b bbc.co.uk            # --> OK

Environment

Ubuntu 22.04 minimal HyperV VM vanilla install. Vanilla network provided by VM switch.
Firejail version 0.9.66

Checklist

[x] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
[ ] I can reproduce the issue without custom modifications (e.g. globals.local).
[ ] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
[ ] The profile (and redirect profile if exists) hasn't already been fixed upstream.
[x] I have performed a short search for similar issues (to avoid opening a duplicate).

glitsj16 commented 5 months ago

Firejail version 0.9.66

0.9.66 is no longer supported nor safe to use. Follow the ubuntu install instructions and upgrade ASAP.

daedalus-rwx commented 5 months ago

0.9.66 is no longer supported nor safe to use. Follow the ubuntu install instructions and upgrade ASAP.

Thanks for the quick response.

Updated to version 0.9.72. The problem persists in the same way as described.

glitsj16 commented 5 months ago

I don't have ethernet on my laptop, and I don't use systemd-resolved. Firejail's --dns= feature is incompatible with it. Other than that the below works fine using the wi-fi interface:

$ firejail --noprofile --net=wlp2s0 --ip=192.168.0.80 --dns=1.1.1.1 /bin/bash

Note: the --dns= feature is not supported on systemd-resolved setups.

rusty-snake commented 5 months ago

firejail --noprofile --net=eth0 /bin/bash

Querys over the resolved D-Bus API still work (if you use firefox.profile you block access to this API).
Querys over the loopback DNS fail because of the new network namespace (expected and wanted).

If you use nss-resolve, DNS will work in the most programs if you allow access to the resolved D-Bus API. Alternatively you could also give your system a mork network namespace friendly DNS setup.

daedalus-rwx commented 5 months ago

Using Bridge in Firejail

Step-by-step to enable internet within the jail.

[!note] This network configuration requires setting restricted-network no (as opposed to the default yes). This is found in /etc/firejail/firejail.config.

This bridge configuration allows a jailed application to access the internet. For this, an exclusive and dedicated network is created for the jail, completely separated from the host network, through the network namespace functionality used by firejail.

The communication of the network namespace created by the jail with the host's standard network is done through a bridge interface. The system will need to be configured to enable IPv4 packet forwarding, so that a NAT (network address translation) can then forward the packets appropriately, making the packets originating from the bridge network exit through the host's main internet interface, in a masked way.

Tested on an Ubuntu 22.04 system with a Vanilla installation.

Preparations

Identify the main interface on the host that has internet access. This can be done using ip a. In this example, the interface with internet access is: eth0
Define a network address (or subnet) different from the host. In this example, the 10.10.20.0/24 network is different from the network used in eth0. Thus, the free and chosen IP for the bridge is: 10.10.20.1/24
Define a name for the bridge. The name of the bridge will be: br-jail

On the host

Create a bridge interface.

$ sudo ip link add br-jail type bridge
$ sudo ip link set br-jail up

Assign a different network from the host.

$ sudo ip addr add 10.10.20.1/24 dev br-jail

Firewall: Before enabling IPv4 forwarding in the system

$ sudo ufw enable
$ sudo iptables -P FORWARD DROP
$ sudo iptables -A FORWARD -i br-jail -s 10.10.20.0/24 -o eth0 -j ACCEPT

This step activates the firewall permanently. Then, it sets the default packet forwarding policy to DENY (DROP) and creates an exclusive exception for br-jail with origin in the 10.10.20.0/24 network. These configurations are lost when the system restarts.

[!note] The current step aims to reinforce security before enabling packet forwarding in the system. The next step enables packet forwarding by the system.

Enable packet forwarding in the system
```
$ sudo sysctl -w net.ipv4.ip_forward=1
```

NAT for packets originating from the bridge network to exit through eth0

$ sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.10.20.0/24 -j MASQUERADE

Start firejail

$ firejail --noprofile --net=br-jail --dns=8.8.8.8 --dns=8.8.4.4 /bin/bash

At this point, it is necessary to ensure the DNS configuration for the jail. The --dns= functionality of firejail overlays the /etc/resolv.conf file inside the jail with up to 4 DNS's. This ensures that the jail does not use the standard DNS resolution of Ubuntu, via systemd-resolved (internal server), making resolvectl status settings ineffective within the jail.

Inside the jail - Connectivity test

$ IF=$(ip -o link show | awk -F': ' '/: eth/{print $2; exit}' | cut -d'@' -f1)      # network interface name (e.g.: eth0)

$ resolvectl query bbc.co.uk            # --> OK
$ resolvectl query bbc.co.uk -i $IF     # --> OK
$ host bbc.co.uk                # --> OK
$ ping -I $IF -c 2 -q bbc.co.uk         # --> OK
$ dig bbc.co.uk                 # --> OK
$ dig bbc.co.uk @1.1.1.1            # --> OK
$ dig bbc.co.uk @8.8.8.8            # --> OK
$ nslookup bbc.co.uk                # --> OK
$ tracepath -b bbc.co.uk            # --> OK

[!WARNING] Firewall The settings in step 3 can be made permanent using:
sudo ufw enable
sudo ufw default deny forward
sudo ufw route allow in on br3 from 10.0.5.0/24 out on eth0
[!warning] Permanence Except for the sudo ufw enable command in step 3, all other configurations (ip, iptables, and sysctl) are temporary and will disappear when the system restarts.

daedalus-rwx commented 5 months ago

(...) Alternatively you could also give your system a mork network namespace friendly DNS setup.

This configuration is in accordance with the alternative?

rusty-snake commented 5 months ago

This network configuration requires setting restricted-network no (as opposed to the default yes). This is found in /etc/firejail/firejail.config.

The upstream default is yes. However some distros (Debian) change the default in their packages.

This ensures that the jail does not use the standard DNS resolution of Ubuntu, via systemd-resolved (internal server), making resolvectl status settings ineffective within the jail.

Maybe this depends also on nsswitch.conf.

daedalus-rwx commented 5 months ago

Thank you very much, everyone. And thank you for your work on this project.

netblue30 / firejail