# Do you run Firefox inside a jail ?



## john_rambo (May 2, 2021)

When I was using Linux I used a sandbox tool called Firejail. I was using almost all network facing apps inside firejail sandbox.
When I tried to find an Firejail alternative for GhostBSD/FreeBSD I found this >> click here.

I am at the moment using Firefox without any sandbox. Is that bad for security ?
Should I run Firefox inside a jail ?


----------



## zirias@ (May 2, 2021)

Do you *expect* to be attacked exploiting your browser? Then, running it in a jail will make sure to contain the damage to that very jail. So, sure, this is somehow "more secure" just for adding yet another layer of defense. And setting up a jail isn't rocket science with FreeBSD, jails have been a functionality of the OS for ages. But it comes at a price as well: Running your browser jailed renders it impossible to access anything outside that jail (which, of course, is the whole point of it).

JFTR, I don't do anything like this. I decided for myself following updates closely is "secure enough" for me.


----------



## john_rambo (May 2, 2021)

Zirias said:


> Do you *expect* to be attacked exploiting your browser? Then, running it in a jail will make sure to contain the damage to that very jail. So, sure, this is somehow "more secure" just for adding yet another layer of defense. And setting up a jail isn't rocket science with FreeBSD, jails have been a functionality of the OS for ages. But it comes at a price as well: Running your browser jailed renders it impossible to access anything outside that jail (which, of course, is the whole point of it).
> 
> JFTR, I don't do anything like this. I decided for myself following updates closely is "secure enough" for me.


One nice feature of Firejail is that the in the default profile for Firefox the /home/username/Downloads folder is whitelisted so if the user wants to download or upload a file he can use the Downloads folder.

I check for updates everyday & install them as soon as they are offered. Thanks.


----------



## fraxamo (May 2, 2021)

john_rambo said:


> I check for updates everyday & install them as soon as they are offered


Microsoft has 'Update Tuesdays', I have 'Update Sundays' 
There's no harm checking for updates every day, but it might be overkill. Once a week, on a schedule is probably good enough.


----------



## john_rambo (May 2, 2021)

fraxamo said:


> Microsoft has 'Update Tuesdays', I have 'Update Sundays'
> There's no harm checking for updates every day, but it might be overkill. Once a week, on a schedule is probably good enough.


Agreed but the thing is since I am using 4G internet connection my daily limit is 3GB so I want to avoid the situation where I have to download a lot of updates in one day because if I do that I cant stream Youtube for very long for that particular day. The data gets "reset" every night at 12:00 am.


----------



## zirias@ (May 2, 2021)

john_rambo said:


> One nice feature of Firejail is that the in the default profile for Firefox the /home/username/Downloads folder is whitelisted so if the user wants to download or upload a file he can use the Downloads folder.


You can easily implement something like this in a FreeBSD jail using nullfs(5). The key question is always: is it worth the hassle? Security is never a state (you can't buy security off-stock). You have to make your own, ideally informed, decisions. Again, I'm fine with browsers running non-jailed and I take care of updating them as quickly as I can.


----------



## kpedersen (May 2, 2021)

I tend to run Firefox (and Chromium) in a Jail. Obviously the additional layer of security is useful for security but mostly it also means that I can continue using my offline mirror of slightly outdated (but deterministic) packages for the main system and only keep the browser in the jail on the permanant treadmill of updates.

Then when an update breaks (rare but it happens), I can just wipe the jail and start from scratch without disturbing the rest of the system.


----------



## shkhln (May 2, 2021)

There is https://bugzilla.mozilla.org/show_bug.cgi?id=1607980, although it doesn't look actively worked on.


----------



## chrbr (May 2, 2021)

Dear john_rambo,
you might like this howtodo:








						How To: Execute Firefox in a jail using iocage and ssh/jailme
					

Motivations  The main reason to put a browser in a jail is quite simple : browsers cannot be trusted. They are too much exposed. Executing a browser inside a jail is a way to be sure that the damages induced by a malicious software are contained (as much as possible). I decided to write this...




					forums.freebsd.org


----------



## john_rambo (May 2, 2021)

chrbr said:


> Dear john_rambo,
> you might like this howtodo:
> 
> 
> ...


There's a problem. In that tutorial the user is using PF. I am using GhostBSD which uses IPFW.


----------



## chrbr (May 2, 2021)

If it is about NAT, it is also possible to do NAT with IPFW. But I am not sure how to do so. Please have a look at the FreeBSD Handbook. I am sure that it is in. There are two additional options.

You can assign the jail an IP adress of your "normal" interface to your router, assumed your setup is this kind of standard setup. If your router has 192.1.68.0.1 your host could have 192.168.0.2 and the jail for example 192.168.0.3. This sounds strange but it works nicely.
You can run proxies on the hosts which listen on lo1 and forward the information. I use www/squid for the http stuff and dns/unbound for DNS. One advantage is that you can see what is going on in the proxies log files.
To do a first step I think the option 1. should be the easiest path.


----------



## Deleted member 30996 (May 3, 2021)

No. I disable JS globally with the NoScript extension. That's the most important thing you can do to avoid being exploited while browsing IMO.


----------



## john_rambo (May 3, 2021)

Trihexagonal said:


> No. I disable JS globally with the NoScript extension. That's the most important thing you can do to avoid being exploited while browsing IMO.


I too tried noscript some years back. Almost 8 out of 10 pages broke. Whitelisting page after page was really tiresome so I gave up.


----------



## Deleted member 30996 (May 4, 2021)

john_rambo said:


> I too tried noscript some years back. Almost 8 out of 10 pages broke. Whitelisting page after page was really tiresome so I gave up.


That's too bad.

I would not feel safe as I do, or be as safe, if I allowed JS to run globally and it's never too much work for me to look at the scripts that want to run and allow only the ones that need to run fo minimal site functionality. After looking at them for a while I can usually tell by the name of the script if it needs to run or not. 

They never picked up my contract for spokesman so they can do their own talking from here on out:



> The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank).
> 
> NoScript also provides the most powerful anti-XSS and anti-Clickjacking protection ever available in a browser.
> 
> NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known, such as Meltdown or Spectre, and even not known yet!) with no loss of functionality...


----------



## john_rambo (May 4, 2021)

Trihexagonal 
After reading what you wrote I just installed Noscript again. If Nosript is so important I will keep using it from now on. Thanks.


----------



## justacurios (May 4, 2021)

I am a Debian user (planning to migrate to FreeBSD soon ) and also have been using firejail for sandboxing Firefox. However, after a bit hassle I made my Firefox working in a jail on FreeBSD. (Ezjail and ssh with X forwarding.) As said, not a rocket science. I don't know how to properly config IPFW NAT. I also used PF but I'm sure someone on here could help you do it easly if you start a topic about. 
However I think you would also be good using it normally with noscript extension. (or even without it if you are an advised user enough.)


----------



## kpedersen (May 4, 2021)

john_rambo said:


> Trihexagonal
> After reading what you wrote I just installed Noscript again. If Nosript is so important I will keep using it from now on. Thanks.


Whilst NoScript is probably the safest option (perhaps 2nd only to disabling Javascript within the browser itself), if you do actually need some Javascript for the services you use to work, then uBlock Origin is probably the second most effective. It basically disallows the loading of anything (including scripts) from known cesspits.


----------



## john_rambo (May 4, 2021)

kpedersen 
I was already using uBlock Origin. Without uBlock Origin browsing the web is a nightmare. I tried for like 10 mins without it & on just one page there was like 20 ads of vulgar nature & a lot of pop ups of the same kind. If a user doesn't install Noscript he wont realize anything. Whatever the damage its all done in background without the knowledge of the user but without uBlock Origin its hell.


----------



## kpedersen (May 4, 2021)

john_rambo said:


> kpedersen
> I was already using uBlock Origin. Without uBlock Origin browsing the web is a nightmare. I tried for like 10 mins without it & on just one page there was like 20 ads of vulgar nature & a lot of pop ups of the same kind.


Hah, I agree. It is easy to foget just how impossibly defective the web is without ublock (origin).
If Google ever finds out a way to make this kind of "poison" blocker less effective it will honestly be the day that the web forks.


----------



## George (May 4, 2021)

Firefox has sandboxing features of its own.
For a detailed overview, see this Wiki.
Unfortunately, they don't work in FreeBSD.
Quoting pkg-message:

```
## Missing features
Some features found on Windows, macOS and Linux are not implemented:
[…]
- Process sandboxing (requires Capsicum backend)
```

I am just a mere laptop user. I don't use jails.


----------

