If some command needs network access, most likely it wants HTTP(S) access. We can provide a netfilter configuration to firejail that only allows traffic to ports 80/443 so that way things like memcached are still protected.
Description
Description
Related Objects
Related Objects
Event Timeline
Comment Actions
firejail comes with /etc/firejail/webserver.net, which is a filter that only allows port 80 and 443 traffic. However we also need to set up a network device, and I don't think firejail can do that by itself.
Comment Actions
This is stalled on finding a command that actually needs only HTTP(S) network traffic.