# Jailing Firefox .....Getting error .... Can't proceed



## john_rambo (Feb 12, 2022)

This is the wiki that I am trying to follow >> https://wiki.freebsd.org/JailingGUIApplications

When I enter the command `bsdinstall jail /zroot/jails/basejail` this happens & I can't proceed





What do I do ?
Note : I have tried almost all the mirrors but same thing happens.


----------



## grahamperrin@ (Feb 12, 2022)

Hmm. The file does exist, 


```
% curl --list-only ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/13.0-RELEASE/ | sort
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   151    0   151    0     0    577      0 --:--:-- --:--:-- --:--:--   578
base-dbg.txz
base.txz
BUILDDATE
GITBRANCH
kernel-dbg.txz
kernel.txz
lib32-dbg.txz
lib32.txz
MANIFEST
ports.txz
REVISION
src.txz
tests.txz
%
```

Does anything here help? 









						Solved - bsdinstall FTP Permission Denied Error
					

When I run bsdinstall jail  and select a mirror I get:  Could not download ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/13.0-RELEASE/MANIFEST   I click  and and get:  Error while fetching ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/13.0-RELEASE/base.txt Permission denied   I...




					forums.freebsd.org


----------



## john_rambo (Feb 12, 2022)

grahamperrin 
I tried disabling PF by using `service pf stop` and then I tried `bsdinstall` again but same error.


----------



## grahamperrin@ (Feb 12, 2022)

Thanks. My memory of things such as this (without jails) is fuzzy, but try starting afresh. 

(A fresh start, like rebooting from the installation medium when bsdinstall fails with a real computer.)


IIRC, years ago, neither _Exit_ nor _Restart_ had the required effect. Something like, a restart was not a fresh start (if a failure occurred, then _Restart_ was more like _Refail_) and it was simpler to stop the computer, than to attempt an understanding of the failure.


----------



## T-Daemon (Feb 12, 2022)

john_rambo said:


> When I enter the command `bsdinstall jail /zroot/jails/basejail` this happens & I can't proceed


As the wiki states you don't need necessarily bsdinstall(8) to populate a jail.


> Here we used the bsdinstall method for convenience. *Otherwise* *download*ing* and unpack*ing* base.txz* and configuring it should suffice.


Copy & paste command to terminal.

```
fetch https://download.freebsd.org/releases/amd64/13.0-RELEASE/base.txz ; tar xf base.txz -C /zroot/jails/basejail
```
See also handbook chapter 15.3.1.2. To install a Jail from an ISO.

For future use make base.txz identifiable, rename it to e.g. base-13.0-R.txz.

After the package is extracted update the jail:

```
# env PAGER=cat freebsd-update -b /zroot/jails/basejail fetch install
```

EDIT:

Apropos, there is an easier method to jail www/firefox. Use sysutils/bastille to bootstrap "Jailfox".

Edit Bastillefile to exclude packages like noto-basic noto-emoji noto-extra, those are huge and not absolutely necessary.


----------



## john_rambo (Feb 12, 2022)

T-Daemon

This is what happened


```
root@home:/home/home # fetch https://download.freebsd.org/releases/amd64/13.0-RELEASE/base.txz ; tar xf base.txz -C /zroot/jails/basejail
base.txz                                               180 MB 4621 kBps    40s
root@home:/home/home # zfs snapshot zroot/jails/basejail@latest
root@home:/home/home #  zfs create zroot/jails/firefox
root@home:/home/home # zfs clone zroot/jails/basejail@latest zroot/jails/firefox/root
root@home:/home/home # zfs create zroot/jails/firefox/var
root@home:/home/home # zfs create zroot/jails/firefox/tmp
root@home:/home/home # zfs create zroot/jails/firefox/home
root@home:/home/home # rsync -a /zroot/jails/firefox/root/var/ /zroot/jails/firefox/var/
rsync: Command not found.
root@home:/home/home # pkg install rsync
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
    rsync: 3.2.3_1
    xxhash: 0.8.0

Number of packages to be installed: 2

The process will require 1 MiB more space.
428 KiB to be downloaded.

Proceed with this action? [y/N]: y
[1/2] Fetching rsync-3.2.3_1.pkg: 100%  355 KiB 363.2kB/s    00:01 
[2/2] Fetching xxhash-0.8.0.pkg: 100%   73 KiB  75.1kB/s    00:01 
Checking integrity... done (0 conflicting)
[1/2] Installing xxhash-0.8.0...
[1/2] Extracting xxhash-0.8.0: 100%
[2/2] Installing rsync-3.2.3_1...
[2/2] Extracting rsync-3.2.3_1: 100%
root@home:/home/home # rsync -a /zroot/jails/firefox/root/var/ /zroot/jails/firefox/var/
root@home:/home/home # zfs set mountpoint=/zroot/jails/firefox/root/var zroot/jails/firefox/var
root@home:/home/home # zfs set mountpoint=/zroot/jails/firefox/root/tmp zroot/jails/firefox/tmp
root@home:/home/home # zfs set mountpoint=/zroot/jails/firefox/root/usr/home zroot/jails/firefox/home
root@home:/home/home # zfs set setuid=off exec=off zroot/jails/firefox/var
root@home:/home/home # zfs set setuid=off exec=off zroot/jails/firefox/tmp
root@home:/home/home # zfs set setuid=off exec=off zroot/jails/firefox/home
root@home:/home/home # zfs set setuid=off exec=off zroot/jails/firefox/home
root@home:/home/home # pkg -c /zroot/jails/firefox/root install firefox xauth liberation-fonts-ttf
Updating FreeBSD repository catalogue...

^C
root@home:/home/home # pkg -c /zroot/jails/firefox/root install firefox xauth liberation-fonts-ttf
Updating FreeBSD repository catalogue...
^C
root@home:/home/home # service pf disable
pf disabled in /etc/rc.conf
root@home:/home/home # service pf enable
pf enabled in /etc/rc.conf
root@home:/home/home # service pf stop
Disabling pf.
root@home:/home/home # pkg -c /zroot/jails/firefox/root install firefox xauth liberation-fonts-ttf
Updating FreeBSD repository catalogue...
pkg: http://pkg.freebsd.org/FreeBSD:13:amd64/quarterly/meta.txz: No address record
repository FreeBSD has no meta file, using default settings
pkg: http://pkg.freebsd.org/FreeBSD:13:amd64/quarterly/packagesite.pkg: No address record
pkg: http://pkg.freebsd.org/FreeBSD:13:amd64/quarterly/packagesite.txz: No address record
Unable to update repository FreeBSD
Error updating repositories!
```

How is PF effecting this Jail ?


```
$ cat /etc/pf.conf
block all
pass out proto { tcp udp } to port { 53 80 443 995 6697 123 }
pass out inet proto icmp icmp-type { echoreq }
```


----------



## T-Daemon (Feb 12, 2022)

john_rambo said:


> Updating FreeBSD repository catalogue...
> pkg: http://pkg.freebsd.org/FreeBSD:13:amd64/quarterly/meta.txz: No address record



Configure inside jail /etc/resolv.conf (copy from host to jail):

jail(8)

```
Configuring the Jail
           ...
           •   Configure /etc/resolv.conf so that name resolution within the
               jail will work correctly.
```


----------



## john_rambo (Feb 12, 2022)

```
# pkg -c /zroot/jails/firefox/root install firefox xauth liberation-fonts-ttf
Updating FreeBSD repository catalogue...
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01   
Fetching packagesite.pkg: 100%    6 MiB   3.4MB/s    00:02   
Processing entries: 100%
FreeBSD repository update completed. 31366 packages processed.
All repositories are up to date.
The following 129 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
    adwaita-icon-theme: 40.1.1
    aom: 3.2.0_1
    argp-standalone: 1.3_4
    argyllcms: 1.9.2_5
    at-spi2-atk: 2.34.2
    at-spi2-core: 2.36.0
    atk: 2.36.0
    avahi-app: 0.8
    ca_root_nss: 3.71
    cairo: 1.17.4,3
    colord: 1.3.5_1
    cups: 2.3.3op2
    dav1d: 0.9.2
    dbus: 1.12.20_5
    dbus-glib: 0.112
    dejavu: 2.37_1
    desktop-file-utils: 0.26_1
    encodings: 1.0.5,1
    expat: 2.4.3
    ffmpeg: 4.4.1_3,1
    firefox: 96.0.3,2
    font-bh-ttf: 1.0.3_4
    font-misc-ethiopic: 1.0.4
    font-misc-meltho: 1.0.3_4
    fontconfig: 2.13.94_1,1
    freetype2: 2.11.1
    fribidi: 1.0.11
    gdbm: 1.22
    gdk-pixbuf2: 2.40.0
    gettext-runtime: 0.21
    giflib: 5.2.1
    glib: 2.70.2,2
    gmp: 6.2.1
    gnome_subr: 1.0
    gnutls: 3.6.16
    graphite2: 1.3.14
    gsettings-desktop-schemas: 41.0
    gtk-update-icon-cache: 3.24.26_1
    gtk3: 3.24.31
    harfbuzz: 3.2.0
    hicolor-icon-theme: 0.17
    icu: 70.1_1,1
    indexinfo: 0.3.1
    jbigkit: 2.1_1
    jpeg-turbo: 2.1.1_1
    lame: 3.100_3
    lcms2: 2.12
    libICE: 1.0.10,1
    libSM: 1.2.3,1
    libX11: 1.7.2,1
    libXScrnSaver: 1.2.3_2
    libXau: 1.0.9
    libXcomposite: 0.4.5,1
    libXcursor: 1.2.0
    libXdamage: 1.1.5
    libXdmcp: 1.1.3
    libXext: 1.3.4,1
    libXfixes: 6.0.0
    libXft: 2.3.4
    libXi: 1.8,1
    libXinerama: 1.1.4_2,1
    libXmu: 1.1.3,1
    libXrandr: 1.5.2
    libXrender: 0.9.10_2
    libXt: 1.2.1,1
    libXtst: 1.2.3_2
    libXxf86vm: 1.1.4_3
    libass: 0.15.2
    libdaemon: 0.14_1
    libdrm: 2.4.109,1
    libedit: 3.1.20210216,1
    libepoll-shim: 0.0.20210418
    libepoxy: 1.5.9
    liberation-fonts-ttf: 2.1.5,2
    libevent: 2.1.12
    libffi: 3.3_1
    libfontenc: 1.1.4
    libglvnd: 1.4.0
    libiconv: 1.16
    libidn2: 2.3.2
    libogg: 1.3.5,4
    libpaper: 1.1.28
    libpci: 3.7.0_1
    libpciaccess: 0.16
    libpthread-stubs: 0.4
    librsvg2-rust: 2.52.5
    libtasn1: 4.18.0
    libtheora: 1.1.1_7
    libudev-devd: 0.5.0
    libunistring: 0.9.10_1
    libv4l: 1.20.0_2
    libva: 2.13.0_1
    libvdpau: 1.4
    libvorbis: 1.3.7_2,3
    libvpx: 1.11.0
    libx264: 0.163.3060
    libxcb: 1.14_1
    libxkbcommon: 1.3.1
    libxml2: 2.9.12
    mkfontscale: 1.2.1
    mpdecimal: 2.5.1
    nettle: 3.7.3
    nspr: 4.33
    nss: 3.74
    opus: 1.3.1
    p11-kit: 0.24.0
    pango: 1.48.11
    pciids: 20211124
    pcre: 8.45
    pixman: 0.40.0_1
    png: 1.6.37_1
    polkit: 0.120_1
    python38: 3.8.12_1
    readline: 8.1.1
    shared-mime-info: 2.0_2
    spidermonkey78: 78.9.0_4
    sqlite3: 3.35.5_4,1
    tiff: 4.3.0
    tpm-emulator: 0.7.4_2
    trousers: 0.3.14_3
    vmaf: 2.3.0_2
    wayland: 1.20.0
    webp: 1.2.1
    x265: 3.4_2
    xauth: 1.1
    xkeyboard-config: 2.34
    xorg-fonts-truetype: 7.7_1
    xorgproto: 2021.5
    xvid: 1.3.7,1

Number of packages to be installed: 129

The process will require 981 MiB more space.
182 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/129] Fetching firefox-96.0.3,2.pkg: 100%   55 MiB   4.1MB/s    00:14   
[2/129] Fetching xauth-1.1.pkg: 100%   22 KiB  22.7kB/s    00:01   
[3/129] Fetching liberation-fonts-ttf-2.1.5,2.pkg:   6%   96 KiB  98.3kB/s    00[3/129] Fetching liberation-fonts-ttf-2.1.5,2.pkg:  96%    1 MiB   1.3MB/s    00[3/129] Fetching liberation-fonts-ttf-2.1.5,2.pkg: 100%    1 MiB 735.7kB/s    00:02   
[4/129] Fetching pixman-0.40.0_1.pkg: 100%  321 KiB 328.3kB/s    00:01   
[5/129] Fetching libxcb-1.14_1.pkg: 100%    1 MiB 528.0kB/s    00:02   
[6/129] Fetching libXdmcp-1.1.3.pkg: 100%   15 KiB  15.0kB/s    00:01   
[7/129] Fetching xorgproto-2021.5.pkg: 100%  222 KiB 226.9kB/s    00:01   
[8/129] Fetching libXau-1.0.9.pkg: 100%   11 KiB  11.3kB/s    00:01   
[9/129] Fetching libpthread-stubs-0.4.pkg: 100%    2 KiB   2.0kB/s    00:01   
[10/129] Fetching libXrender-0.9.10_2.pkg: 100%   30 KiB  30.8kB/s    00:01   
[11/129] Fetching libX11-1.7.2,1.pkg: 100%    2 MiB 837.6kB/s    00:02   
[12/129] Fetching libXrandr-1.5.2.pkg: 100%   30 KiB  30.9kB/s    00:01   
[13/129] Fetching libXext-1.3.4,1.pkg: 100%   95 KiB  96.8kB/s    00:01   
[14/129] Fetching libXfixes-6.0.0.pkg: 100%   14 KiB  14.5kB/s    00:01   
[15/129] Fetching libXdamage-1.1.5.pkg: 100%    6 KiB   6.6kB/s    00:01   
[16/129] Fetching libXcomposite-0.4.5,1.pkg: 100%   11 KiB  10.8kB/s    00:01   
[17/129] Fetching pango-1.48.11.pkg: 100%    1 MiB 747.8kB/s    00:02   
[18/129] Fetching xorg-fonts-truetype-7.7_1.pkg: 100%    508 B   0.5kB/s    00:01   
[19/129] Fetching font-misc-meltho-1.0.3_4.pkg:  27%  200 KiB 204.8kB/s    00:02[19/129] Fetching font-misc-meltho-1.0.3_4.pkg: 100%  718 KiB 735.4kB/s    00:01   
[20/129] Fetching mkfontscale-1.2.1.pkg: 100%   21 KiB  21.1kB/s    00:01   
[21/129] Fetching libfontenc-1.1.4.pkg: 100%   20 KiB  20.5kB/s    00:01   
[22/129] Fetching freetype2-2.11.1.pkg: 100%    1 MiB   1.1MB/s    00:01   
[23/129] Fetching png-1.6.37_1.pkg: 100%  292 KiB 298.6kB/s    00:01   
[24/129] Fetching fontconfig-2.13.94_1,1.pkg:   8%   40 KiB  41.0kB/s    00:10 E[24/129] Fetching fontconfig-2.13.94_1,1.pkg: 100%  453 KiB 464.2kB/s    00:01   
[25/129] Fetching expat-2.4.3.pkg: 100%  104 KiB 106.2kB/s    00:01   
[26/129] Fetching font-misc-ethiopic-1.0.4.pkg:  75%   96 KiB  98.3kB/s    00:00[26/129] Fetching font-misc-ethiopic-1.0.4.pkg: 100%  127 KiB 130.3kB/s    00:01   
[27/129] Fetching font-bh-ttf-1.0.3_4.pkg: 100%  268 KiB 274.9kB/s    00:01   
[28/129] Fetching encodings-1.0.5,1.pkg: 100%  558 KiB 285.6kB/s    00:02   
[29/129] Fetching dejavu-2.37_1.pkg: 100%    2 MiB   1.3MB/s    00:02   
[30/129] Fetching libXft-2.3.4.pkg: 100%   65 KiB  66.9kB/s    00:01   
[31/129] Fetching harfbuzz-3.2.0.pkg: 100%  836 KiB 428.2kB/s    00:02   
[32/129] Fetching graphite2-1.3.14.pkg: 100%  100 KiB 102.3kB/s    00:01   
[33/129] Fetching glib-2.70.2,2.pkg: 100%    3 MiB   1.7MB/s    00:02   
[34/129] Fetching libxml2-2.9.12.pkg: 100%  831 KiB 851.3kB/s    00:01   
[35/129] Fetching python38-3.8.12_1.pkg: 100%   17 MiB   3.6MB/s    00:05   
[36/129] Fetching mpdecimal-2.5.1.pkg: 100%  322 KiB 329.7kB/s    00:01   
[37/129] Fetching readline-8.1.1.pkg: 100%  360 KiB 369.0kB/s    00:01   
[38/129] Fetching indexinfo-0.3.1.pkg: 100%    6 KiB   5.7kB/s    00:01   
[39/129] Fetching libffi-3.3_1.pkg: 100%   39 KiB  40.1kB/s    00:01   
[40/129] Fetching gettext-runtime-0.21.pkg: 100%  166 KiB 169.9kB/s    00:01   
[41/129] Fetching pcre-8.45.pkg: 100%    1 MiB   1.3MB/s    00:01   
[42/129] Fetching libiconv-1.16.pkg: 100%  608 KiB 622.9kB/s    00:01   
[43/129] Fetching cairo-1.17.4,3.pkg: 100%    1 MiB   1.1MB/s    00:01   
[44/129] Fetching libglvnd-1.4.0.pkg: 100%  339 KiB 347.6kB/s    00:01   
[45/129] Fetching xkeyboard-config-2.34.pkg:  12%   80 KiB  81.9kB/s    00:07 ET[45/129] Fetching xkeyboard-config-2.34.pkg: 100%  648 KiB 663.5kB/s    00:01   
[46/129] Fetching libXxf86vm-1.1.4_3.pkg: 100%   18 KiB  18.4kB/s    00:01   
[47/129] Fetching wayland-1.20.0.pkg: 100%  124 KiB 126.8kB/s    00:01   
[48/129] Fetching libepoll-shim-0.0.20210418.pkg:  71%   16 KiB  16.4kB/s    00:[48/129] Fetching libepoll-shim-0.0.20210418.pkg: 100%   22 KiB  22.8kB/s    00:01   
[49/129] Fetching libdrm-2.4.109,1.pkg: 100%  234 KiB 240.1kB/s    00:01   
[50/129] Fetching libpciaccess-0.16.pkg: 100%   22 KiB  22.3kB/s    00:01   
[51/129] Fetching pciids-20211124.pkg: 100%  223 KiB 228.4kB/s    00:01   
[52/129] Fetching libedit-3.1.20210216,1.pkg:  11%   16 KiB  16.4kB/s    00:07 E[52/129] Fetching libedit-3.1.20210216,1.pkg: 100%  136 KiB 138.9kB/s    00:01   
[53/129] Fetching libepoxy-1.5.9.pkg: 100%  279 KiB 285.4kB/s    00:01   
[54/129] Fetching libudev-devd-0.5.0.pkg: 100%   17 KiB  17.1kB/s    00:01   
[55/129] Fetching fribidi-1.0.11.pkg: 100%   80 KiB  81.6kB/s    00:01   
[56/129] Fetching libXt-1.2.1,1.pkg: 100%  450 KiB 461.1kB/s    00:01   
[57/129] Fetching libSM-1.2.3,1.pkg: 100%   24 KiB  24.5kB/s    00:01   
[58/129] Fetching libICE-1.0.10,1.pkg: 100%   92 KiB  94.3kB/s    00:01   
[59/129] Fetching gtk3-3.24.31.pkg: 100%   11 MiB   2.9MB/s    00:04   
[60/129] Fetching libxkbcommon-1.3.1.pkg: 100%  192 KiB 196.6kB/s    00:01   
[61/129] Fetching libXinerama-1.1.4_2,1.pkg: 100%   11 KiB  10.8kB/s    00:01   
[62/129] Fetching libXi-1.8,1.pkg: 100%  125 KiB 127.5kB/s    00:01   
[63/129] Fetching libXcursor-1.2.0.pkg: 100%   34 KiB  35.2kB/s    00:01   
[64/129] Fetching adwaita-icon-theme-40.1.1.pkg:   0%   40 KiB  41.0kB/s    03:4[64/129] Fetching adwaita-icon-theme-40.1.1.pkg:   4%  408 KiB 376.8kB/s    00:3[64/129] Fetching adwaita-icon-theme-40.1.1.pkg:  34%    3 MiB   2.7MB/s    00:0[64/129] Fetching adwaita-icon-theme-40.1.1.pkg:  84%    7 MiB   4.7MB/s    00:0[64/129] Fetching adwaita-icon-theme-40.1.1.pkg: 100%    9 MiB   2.3MB/s    00:04   
[65/129] Fetching gtk-update-icon-cache-3.24.26_1.pkg:  21%   16 KiB  16.4kB/s  [65/129] Fetching gtk-update-icon-cache-3.24.26_1.pkg: 100%   75 KiB  77.0kB/s    00:01   
[66/129] Fetching gdk-pixbuf2-2.40.0.pkg: 100%  510 KiB 521.9kB/s    00:01   
[67/129] Fetching shared-mime-info-2.0_2.pkg:  26%   96 KiB  98.3kB/s    00:02 E[67/129] Fetching shared-mime-info-2.0_2.pkg: 100%  357 KiB 365.7kB/s    00:01   
[68/129] Fetching tiff-4.3.0.pkg: 100%  847 KiB 433.4kB/s    00:02   
[69/129] Fetching jpeg-turbo-2.1.1_1.pkg: 100%  364 KiB 372.4kB/s    00:01   
[70/129] Fetching jbigkit-2.1_1.pkg: 100%   73 KiB  74.4kB/s    00:01   
[71/129] Fetching atk-2.36.0.pkg: 100%  294 KiB 300.8kB/s    00:01   
[72/129] Fetching cups-2.3.3op2.pkg: 100%    1 MiB   1.5MB/s    00:01   
[73/129] Fetching gnutls-3.6.16.pkg: 100%    2 MiB   1.3MB/s    00:02   
[74/129] Fetching trousers-0.3.14_3.pkg: 100%  476 KiB 486.9kB/s    00:01   
[75/129] Fetching tpm-emulator-0.7.4_2.pkg: 100%  114 KiB 116.4kB/s    00:01   
[76/129] Fetching gmp-6.2.1.pkg: 100%  479 KiB 490.4kB/s    00:01   
[77/129] Fetching p11-kit-0.24.0.pkg: 100%  447 KiB 458.1kB/s    00:01   
[78/129] Fetching libtasn1-4.18.0.pkg: 100%  147 KiB 150.4kB/s    00:01   
[79/129] Fetching ca_root_nss-3.71.pkg: 100%  256 KiB 262.5kB/s    00:01   
[80/129] Fetching nettle-3.7.3.pkg: 100%    1 MiB   1.5MB/s    00:01   
[81/129] Fetching libidn2-2.3.2.pkg: 100%  112 KiB 114.9kB/s    00:01   
[82/129] Fetching libunistring-0.9.10_1.pkg:  29%  152 KiB 155.7kB/s    00:02 ET[82/129] Fetching libunistring-0.9.10_1.pkg: 100%  509 KiB 520.7kB/s    00:01   
[83/129] Fetching libpaper-1.1.28.pkg: 100%   24 KiB  24.4kB/s    00:01   
[84/129] Fetching avahi-app-0.8.pkg: 100%  341 KiB 348.8kB/s    00:01   
[85/129] Fetching gnome_subr-1.0.pkg: 100%    2 KiB   1.8kB/s    00:01   
[86/129] Fetching libevent-2.1.12.pkg: 100%  321 KiB 329.0kB/s    00:01   
[87/129] Fetching libdaemon-0.14_1.pkg: 100%   32 KiB  33.1kB/s    00:01   
[88/129] Fetching dbus-glib-0.112.pkg: 100%  165 KiB 169.2kB/s    00:01   
[89/129] Fetching dbus-1.12.20_5.pkg: 100%  368 KiB 376.8kB/s    00:01   
[90/129] Fetching gdbm-1.22.pkg: 100%  203 KiB 208.2kB/s    00:01   
[91/129] Fetching hicolor-icon-theme-0.17.pkg: 100%   13 KiB  13.7kB/s    00:01   
[92/129] Fetching librsvg2-rust-2.52.5.pkg: 100%    4 MiB   2.2MB/s    00:02   
[93/129] Fetching colord-1.3.5_1.pkg: 100%  589 KiB 603.4kB/s    00:01   
[94/129] Fetching polkit-0.120_1.pkg: 100%  155 KiB 158.3kB/s    00:01   
[95/129] Fetching spidermonkey78-78.9.0_4.pkg:   1%   96 KiB  98.3kB/s    01:14 [95/129] Fetching spidermonkey78-78.9.0_4.pkg:  12%  888 KiB 811.0kB/s    00:12 [95/129] Fetching spidermonkey78-78.9.0_4.pkg:  67%    5 MiB   4.1MB/s    00:00 [95/129] Fetching spidermonkey78-78.9.0_4.pkg: 100%    7 MiB   2.5MB/s    00:03   
[96/129] Fetching nspr-4.33.pkg: 100%  244 KiB 250.4kB/s    00:01   
[97/129] Fetching icu-70.1_1,1.pkg: 100%   11 MiB   2.8MB/s    00:04   
[98/129] Fetching lcms2-2.12.pkg: 100%    2 MiB   1.0MB/s    00:02   
[99/129] Fetching argyllcms-1.9.2_5.pkg: 100%    5 MiB   2.8MB/s    00:02   
[100/129] Fetching libXScrnSaver-1.2.3_2.pkg: 100%   15 KiB  15.5kB/s    00:01   
[101/129] Fetching sqlite3-3.35.5_4,1.pkg: 100%    1 MiB   1.3MB/s    00:01   
[102/129] Fetching gsettings-desktop-schemas-41.0.pkg:  26%  160 KiB 163.8kB/s  [102/129] Fetching gsettings-desktop-schemas-41.0.pkg: 100%  599 KiB 613.5kB/s    00:01   
[103/129] Fetching at-spi2-atk-2.34.2.pkg: 100%   62 KiB  63.3kB/s    00:01   
[104/129] Fetching at-spi2-core-2.36.0.pkg: 100%  188 KiB 192.6kB/s    00:01   
[105/129] Fetching libXtst-1.2.3_2.pkg: 100%   20 KiB  20.8kB/s    00:01   
[106/129] Fetching nss-3.74.pkg: 100%    2 MiB   1.0MB/s    00:02   
[107/129] Fetching libvpx-1.11.0.pkg: 100%    1 MiB 669.0kB/s    00:02   
[108/129] Fetching ffmpeg-4.4.1_3,1.pkg: 100%    9 MiB   2.5MB/s    00:04   
[109/129] Fetching xvid-1.3.7,1.pkg: 100%  285 KiB 291.7kB/s    00:01   
[110/129] Fetching x265-3.4_2.pkg: 100%    2 MiB 967.0kB/s    00:02   
[111/129] Fetching vmaf-2.3.0_2.pkg: 100%  278 KiB 284.2kB/s    00:01   
[112/129] Fetching libx264-0.163.3060.pkg: 100%  679 KiB 694.9kB/s    00:01   
[113/129] Fetching libvdpau-1.4.pkg: 100%   56 KiB  57.8kB/s    00:01   
[114/129] Fetching libva-2.13.0_1.pkg: 100%  162 KiB 165.4kB/s    00:01   
[115/129] Fetching libv4l-1.20.0_2.pkg: 100%  363 KiB 372.1kB/s    00:01   
[116/129] Fetching argp-standalone-1.3_4.pkg:  47%   16 KiB  16.4kB/s    00:01 E[116/129] Fetching argp-standalone-1.3_4.pkg: 100%   34 KiB  34.5kB/s    00:01   
[117/129] Fetching libtheora-1.1.1_7.pkg: 100%  174 KiB 178.4kB/s    00:01   
[118/129] Fetching libvorbis-1.3.7_2,3.pkg: 100%  346 KiB 353.8kB/s    00:01   
[119/129] Fetching libogg-1.3.5,4.pkg: 100%  193 KiB 197.3kB/s    00:01   
[120/129] Fetching libass-0.15.2.pkg: 100%  139 KiB 142.7kB/s    00:01   
[121/129] Fetching dav1d-0.9.2.pkg: 100%  463 KiB 474.3kB/s    00:01   
[122/129] Fetching aom-3.2.0_1.pkg: 100%    3 MiB   1.8MB/s    00:02   
[123/129] Fetching opus-1.3.1.pkg: 100%  331 KiB 339.0kB/s    00:01   
[124/129] Fetching lame-3.100_3.pkg: 100%  360 KiB 369.0kB/s    00:01   
[125/129] Fetching webp-1.2.1.pkg: 100%  398 KiB 408.0kB/s    00:01   
[126/129] Fetching giflib-5.2.1.pkg: 100%  232 KiB 237.4kB/s    00:01   
[127/129] Fetching libpci-3.7.0_1.pkg: 100%   53 KiB  54.2kB/s    00:01   
[128/129] Fetching desktop-file-utils-0.26_1.pkg:  35%   16 KiB  16.4kB/s    00:[128/129] Fetching desktop-file-utils-0.26_1.pkg: 100%   45 KiB  45.7kB/s    00:01   
[129/129] Fetching libXmu-1.1.3,1.pkg: 100%   95 KiB  97.5kB/s    00:01   
Checking integrity... done (0 conflicting)
[1/129] Installing xorgproto-2021.5...
[1/129] Extracting xorgproto-2021.5: 100%
[2/129] Installing libXdmcp-1.1.3...
[2/129] Extracting libXdmcp-1.1.3: 100%
pkg: Cannot open /dev/null:No such file or directory
[3/129] Installing libXau-1.0.9...
[3/129] Extracting libXau-1.0.9: 100%
pkg: Cannot open /dev/null:No such file or directory
[4/129] Installing libpthread-stubs-0.4...
[4/129] Extracting libpthread-stubs-0.4: 100%
[5/129] Installing indexinfo-0.3.1...
[5/129] Extracting indexinfo-0.3.1: 100%
[6/129] Installing libxcb-1.14_1...
[6/129] Extracting libxcb-1.14_1: 100%
pkg: Cannot open /dev/null:No such file or directory
[7/129] Installing png-1.6.37_1...
[7/129] Extracting png-1.6.37_1: 100%
pkg: Cannot open /dev/null:No such file or directory
[8/129] Installing mpdecimal-2.5.1...
[8/129] Extracting mpdecimal-2.5.1: 100%
pkg: Cannot open /dev/null:No such file or directory
[9/129] Installing readline-8.1.1...
[9/129] Extracting readline-8.1.1: 100%
pkg: Cannot open /dev/null:No such file or directory
[10/129] Installing libffi-3.3_1...
[10/129] Extracting libffi-3.3_1: 100%
pkg: Cannot open /dev/null:No such file or directory
[11/129] Installing gettext-runtime-0.21...
[11/129] Extracting gettext-runtime-0.21: 100%
pkg: Cannot open /dev/null:No such file or directory
[12/129] Installing libX11-1.7.2,1...
[12/129] Extracting libX11-1.7.2,1: 100%
pkg: Cannot open /dev/null:No such file or directory
[13/129] Installing libfontenc-1.1.4...
[13/129] Extracting libfontenc-1.1.4: 100%
pkg: Cannot open /dev/null:No such file or directory
[14/129] Installing freetype2-2.11.1...
[14/129] Extracting freetype2-2.11.1: 100%
pkg: Cannot open /dev/null:No such file or directory
[15/129] Installing expat-2.4.3...
[15/129] Extracting expat-2.4.3: 100%
pkg: Cannot open /dev/null:No such file or directory
[16/129] Installing libxml2-2.9.12...
[16/129] Extracting libxml2-2.9.12: 100%
pkg: Cannot open /dev/null:No such file or directory
[17/129] Installing python38-3.8.12_1...
[17/129] Extracting python38-3.8.12_1: 100%
pkg: Cannot open /dev/null:No such file or directory
[18/129] Installing pcre-8.45...
[18/129] Extracting pcre-8.45: 100%
pkg: Cannot open /dev/null:No such file or directory
[19/129] Installing libiconv-1.16...
[19/129] Extracting libiconv-1.16: 100%
pkg: Cannot open /dev/null:No such file or directory
[20/129] Installing libICE-1.0.10,1...
[20/129] Extracting libICE-1.0.10,1: 100%
pkg: Cannot open /dev/null:No such file or directory
[21/129] Installing libXext-1.3.4,1...
[21/129] Extracting libXext-1.3.4,1: 100%
pkg: Cannot open /dev/null:No such file or directory
[22/129] Installing libXfixes-6.0.0...
[22/129] Extracting libXfixes-6.0.0: 100%
pkg: Cannot open /dev/null:No such file or directory
[23/129] Installing mkfontscale-1.2.1...
[23/129] Extracting mkfontscale-1.2.1: 100%
[24/129] Installing fontconfig-2.13.94_1,1...
pkg: Cannot open /dev/null:No such file or directory
```


----------



## john_rambo (Feb 12, 2022)

Also the file /etc/jail.conf. This is on the host right ?


```
# cat /etc/jail.conf                   
/etc/jail.conf

allow.nomount;
exec.clean;
mount.devfs;
host.hostname = "$name.your-host-name.lan";
path = "/zroot/jails/${name}/root";
#securelevel = 3;

firefox {
    ip4.addr = "10.0.0.2";
    #exec.start = "/bin/sh /home/firefox/run-firefox";
    #exec.jail_user = "firefox";
    persist;
    devfs_ruleset = 5;
}
```


----------



## T-Daemon (Feb 12, 2022)

john_rambo said:


> Also the file /etc/jail.conf. This is on the host right ?


Yes, that is correct.


----------



## john_rambo (Feb 12, 2022)

T-Daemon 
Sorry I should have asked this in my previous post. I am again getting a little confused 


```
# /etc/rc.conf
   2
   3 #
   4 # Among other thigns you set up in rc.conf, the following is minimum required for jail networking.
   5 #
   6 # We use the 10.0.0.0/29 range just as an example for up to 6 jails
   7 #
   8 cloned_interfaces=lo1
   9 ifconfig_lo1_aliases="10.0.0.1-6/29"
  10
  11 # And this to enable pf rules for NAT
  12 pf_enable="YES"
  13 pf_rules="/etc/pf.conf"
```

Is this the /etc/rc.conf of the host or the Jail ?


```
# /etc/pf.conf
   2
   3 # This is for re0 interface, so replace with whatever you have, like em0, igb0, ...
   4 extif = "re0"
   5 intif = "lo1"
   6
   7 set skip on lo
   8 set state-policy if-bound
   9
  10 nat on $extif inet from ($intif) to ! ($intif) -> ($extif)
```

Again is this the /etc/pf.conf of host or he jail ?

```
# /etc/devfs.rules

[devfsrules_desktop_jail=5]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path 'mixer*' unhide
add path 'dsp*' unhide
```

/etc/devfs.rules on the host or jail ?

This is not a newbie thing. After I understand this far I will ask about the next steps later.


----------



## T-Daemon (Feb 12, 2022)

john_rambo said:


> Is this the /etc/rc.conf of the host or the Jail ?
> 
> Again is this the /etc/pf.conf of host or he jail ?
> 
> /etc/devfs.rules on the host or jail ?


All on the host.


----------



## john_rambo (Feb 12, 2022)

T-Daemon

This is my /etc/pf.conf



```
block all
pass out proto { tcp udp } to port { 53 80 443 995 6697 123 }
pass out inet proto icmp icmp-type { echoreq }
extif = "re0"
intif = "lo1"
set skip on lo
set state-policy if-bound
nat on $extif inet from ($intif) to ! ($intif) -> ($extif)
```

I am getting this error


```
# pfctl -f /etc/pf.conf
/etc/pf.conf:11: Rules must be in order: options, normalization, queueing, translation, filtering
pfctl: Syntax error in config file: pf rules not loaded
```


----------



## T-Daemon (Feb 12, 2022)

Replicated the pf(4) rules from the wiki, those work just fine.

What's in line 11?


john_rambo said:


> /etc/pf.conf:*11*: Rules must be in order: options, normalization, queueing, translation, filtering


----------



## john_rambo (Feb 13, 2022)

T-Daemon said:


> Replicated the pf(4) rules from the wiki, those work just fine.
> 
> What's in line 11?


This is my /etc/pf.conf


```
$ cat /etc/pf.conf
### block in all
### pass out all keep state

block all
pass out proto { tcp udp } to port { 53 80 443 995 6697 123 }
pass out inet proto icmp icmp-type { echoreq }
extif = "re0"
intif = "lo1"
set skip on lo
set state-policy if-bound
nat on $extif inet from ($intif) to ! ($intif) -> ($extif)
```


----------



## john_rambo (Feb 13, 2022)

T-Daemon
I don't want to give up. I was using Firefox and almost all network facing apps inside a firejail sandbox under Linux.
Kindly reply when you have free time.

This was how my /etc/pf.conf looked before


```
$ cat /etc/pf.conf
block all
pass out proto { tcp udp } to port { 53 80 443 995 6697 123 }
pass out inet proto icmp icmp-type { echoreq }
```

This is how my /etc/pf.conf looks after adding rules from the wiki


```
$ cat /etc/pf.conf
block all
pass out proto { tcp udp } to port { 53 80 443 995 6697 123 }
pass out inet proto icmp icmp-type { echoreq }
extif = "re0"
intif = "lo1"
set skip on lo
set state-policy if-bound
nat on $extif inet from ($intif) to ! ($intif) -> ($extif)
```

I added the following (from the wiki)


```
extif = "re0"

intif = "lo1"

set skip on lo

set state-policy if-bound

nat on $extif inet from ($intif) to ! ($intif) -> ($extif)
```


----------



## T-Daemon (Feb 13, 2022)

john_rambo said:


> Kindly reply when you have free time.


Sure, no problem. Yesterday, after my last post I had no time get back to forums.

To the subject, I'm not familiar with pf(4), but after reading in the handbook the pf chapter, and taking the error message in count, the filtering must be placed last in /etc/pf.config:

```
extif = "re0"
intif = "lo1"
set skip on lo
set state-policy if-bound
nat on $extif inet from ($intif) to ! ($intif) -> ($extif)
block all
pass out proto { tcp udp } to port { 53 80 443 995 6697 123 }
pass out inet proto icmp icmp-type { echoreq }
```


----------



## john_rambo (Feb 13, 2022)

Okay now the PF issue is solved. The "init script" is supposed to be created on the host right ?

Have I done it properly ?


```
$ cat /home/home/Desktop/firefoxjail
#!/bin/sh
 export DISPLAY=:0.0
 /usr/local/bin/firefox > /dev/null &
```

Now I am getting stuck at this step


```
root@firefox:~ # chown firefox:firefox /home/firefox/run-firefox
chown: /home/firefox/run-firefox: No such file or directory
```

Note : ^^ I am inside the jail.


----------



## john_rambo (Feb 13, 2022)

Okay forget about that. All that is supposed to be done inside the jail.
I have complete all the steps including



> And that's it. We stop the jail with  jail -r firefox , uncomment the exec. bits from jail.conf, comment the persist bit, and the jail is almost ready to run. Finally:
> 
> 
> 
> ...


I dont know but this is the last remaining issue


```
jail -c firefox
firefox: created
root@home:/home/home # /home/firefox/run-firefox: /usr/local/bin/firefox: not found
```


----------



## T-Daemon (Feb 13, 2022)

john_rambo said:


> `root@home:/home/home # /home/firefox/run-firefox: /usr/local/bin/firefox: not found`


Check if www/firefox is installed.

From host:

```
# pkg -c /zroot/jails/firefox/root info -E firefox
```


----------



## john_rambo (Feb 14, 2022)

T-Daemon said:


> Check if www/firefox is installed.
> 
> From host:
> 
> ...




```
# pkg -c /zroot/jails/firefox/root info -E firefox
pkg: No package(s) matching firefox
```
So I tried to install Firefox again but an error this time


```
# pkg -c /zroot/jails/firefox/root install firefox xauth liberation-fonts-ttf
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 106 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
    adwaita-icon-theme: 40.1.1
    aom: 3.2.0_1
    argp-standalone: 1.3_4
    argyllcms: 1.9.2_5
    at-spi2-atk: 2.34.2
    at-spi2-core: 2.36.0
    atk: 2.36.0
    avahi-app: 0.8
    ca_root_nss: 3.71
    cairo: 1.17.4,3
    colord: 1.3.5_1
    cups: 2.3.3op2
    dav1d: 0.9.2
    dbus: 1.12.20_5
    dbus-glib: 0.112
    dejavu: 2.37_1
    desktop-file-utils: 0.26_1
    encodings: 1.0.5,1
    ffmpeg: 4.4.1_3,1
    firefox: 97.0_3,2
    font-bh-ttf: 1.0.3_4
    font-misc-ethiopic: 1.0.4
    font-misc-meltho: 1.0.3_4
    fontconfig: 2.13.94_1,1
    fribidi: 1.0.11
    gdbm: 1.22
    gdk-pixbuf2: 2.40.0
    giflib: 5.2.1
    glib: 2.70.3,2
    gmp: 6.2.1
    gnome_subr: 1.0
    gnutls: 3.6.16
    graphite2: 1.3.14
    gsettings-desktop-schemas: 41.0
    gtk-update-icon-cache: 3.24.26_1
    gtk3: 3.24.31
    harfbuzz: 3.2.0
    hicolor-icon-theme: 0.17
    icu: 70.1_1,1
    jbigkit: 2.1_1
    jpeg-turbo: 2.1.1_1
    lame: 3.100_3
    lcms2: 2.12
    libSM: 1.2.3,1
    libXScrnSaver: 1.2.3_2
    libXcomposite: 0.4.5,1
    libXcursor: 1.2.0
    libXdamage: 1.1.5
    libXft: 2.3.4
    libXi: 1.8,1
    libXinerama: 1.1.4_2,1
    libXmu: 1.1.3,1
    libXrandr: 1.5.2
    libXrender: 0.9.10_2
    libXt: 1.2.1,1
    libXtst: 1.2.3_2
    libXxf86vm: 1.1.4_3
    libass: 0.15.2
    libdaemon: 0.14_1
    libdrm: 2.4.109,1
    libedit: 3.1.20210216,1
    libepoll-shim: 0.0.20210418
    libepoxy: 1.5.9
    liberation-fonts-ttf: 2.1.5,2
    libevent: 2.1.12
    libglvnd: 1.4.0
    libidn2: 2.3.2
    libogg: 1.3.5,4
    libpaper: 1.1.28
    libpci: 3.7.0_1
    libpciaccess: 0.16
    librsvg2-rust: 2.52.5_1
    libtasn1: 4.18.0
    libtheora: 1.1.1_7
    libudev-devd: 0.5.0
    libunistring: 0.9.10_1
    libv4l: 1.20.0_2
    libva: 2.13.0_1
    libvdpau: 1.4
    libvorbis: 1.3.7_2,3
    libvpx: 1.11.0
    libx264: 0.163.3060
    libxkbcommon: 1.3.1
    nettle: 3.7.3
    nspr: 4.33
    nss: 3.75
    opus: 1.3.1
    p11-kit: 0.24.0
    pango: 1.48.11
    pciids: 20211124
    pixman: 0.40.0_1
    polkit: 0.120_1
    shared-mime-info: 2.0_2
    spidermonkey78: 78.9.0_5
    sqlite3: 3.35.5_4,1
    tiff: 4.3.0
    tpm-emulator: 0.7.4_2
    trousers: 0.3.14_3
    vmaf: 2.3.0_2
    wayland: 1.20.0
    webp: 1.2.1
    x265: 3.4_2
    xauth: 1.1
    xkeyboard-config: 2.34
    xorg-fonts-truetype: 7.7_1
    xvid: 1.3.7,1

Number of packages to be installed: 106

The process will require 827 MiB more space.

Proceed with this action? [y/N]: y
[1/106] Installing fontconfig-2.13.94_1,1...
pkg: Cannot open /dev/null:No such file or directory
```


----------



## T-Daemon (Feb 14, 2022)

Execute from host:

```
# mount_nullfs /dev   /zroot/jails/firefox/root/dev
```


----------



## john_rambo (Feb 14, 2022)

T-Daemon said:


> Execute from host:
> 
> ```
> # mount_nullfs /dev   /zroot/jails/firefox/root/dev
> ```




```
# mount_nullfs /dev   /zroot/jails/firefox/root/dev
root@home:/home/home # pkg -c /zroot/jails/firefox/root install firefox xauth liberation-fonts-ttf
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 106 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
    adwaita-icon-theme: 40.1.1
    aom: 3.2.0_1
    argp-standalone: 1.3_4
    argyllcms: 1.9.2_5
    at-spi2-atk: 2.34.2
    at-spi2-core: 2.36.0
    atk: 2.36.0
    avahi-app: 0.8
    ca_root_nss: 3.71
    cairo: 1.17.4,3
    colord: 1.3.5_1
    cups: 2.3.3op2
    dav1d: 0.9.2
    dbus: 1.12.20_5
    dbus-glib: 0.112
    dejavu: 2.37_1
    desktop-file-utils: 0.26_1
    encodings: 1.0.5,1
    ffmpeg: 4.4.1_3,1
    firefox: 97.0_3,2
    font-bh-ttf: 1.0.3_4
    font-misc-ethiopic: 1.0.4
    font-misc-meltho: 1.0.3_4
    fontconfig: 2.13.94_1,1
    fribidi: 1.0.11
    gdbm: 1.22
    gdk-pixbuf2: 2.40.0
    giflib: 5.2.1
    glib: 2.70.3,2
    gmp: 6.2.1
    gnome_subr: 1.0
    gnutls: 3.6.16
    graphite2: 1.3.14
    gsettings-desktop-schemas: 41.0
    gtk-update-icon-cache: 3.24.26_1
    gtk3: 3.24.31
    harfbuzz: 3.2.0
    hicolor-icon-theme: 0.17
    icu: 70.1_1,1
    jbigkit: 2.1_1
    jpeg-turbo: 2.1.1_1
    lame: 3.100_3
    lcms2: 2.12
    libSM: 1.2.3,1
    libXScrnSaver: 1.2.3_2
    libXcomposite: 0.4.5,1
    libXcursor: 1.2.0
    libXdamage: 1.1.5
    libXft: 2.3.4
    libXi: 1.8,1
    libXinerama: 1.1.4_2,1
    libXmu: 1.1.3,1
    libXrandr: 1.5.2
    libXrender: 0.9.10_2
    libXt: 1.2.1,1
    libXtst: 1.2.3_2
    libXxf86vm: 1.1.4_3
    libass: 0.15.2
    libdaemon: 0.14_1
    libdrm: 2.4.109,1
    libedit: 3.1.20210216,1
    libepoll-shim: 0.0.20210418
    libepoxy: 1.5.9
    liberation-fonts-ttf: 2.1.5,2
    libevent: 2.1.12
    libglvnd: 1.4.0
    libidn2: 2.3.2
    libogg: 1.3.5,4
    libpaper: 1.1.28
    libpci: 3.7.0_1
    libpciaccess: 0.16
    librsvg2-rust: 2.52.5_1
    libtasn1: 4.18.0
    libtheora: 1.1.1_7
    libudev-devd: 0.5.0
    libunistring: 0.9.10_1
    libv4l: 1.20.0_2
    libva: 2.13.0_1
    libvdpau: 1.4
    libvorbis: 1.3.7_2,3
    libvpx: 1.11.0
    libx264: 0.163.3060
    libxkbcommon: 1.3.1
    nettle: 3.7.3
    nspr: 4.33
    nss: 3.75
    opus: 1.3.1
    p11-kit: 0.24.0
    pango: 1.48.11
    pciids: 20211124
    pixman: 0.40.0_1
    polkit: 0.120_1
    shared-mime-info: 2.0_2
    spidermonkey78: 78.9.0_5
    sqlite3: 3.35.5_4,1
    tiff: 4.3.0
    tpm-emulator: 0.7.4_2
    trousers: 0.3.14_3
    vmaf: 2.3.0_2
    wayland: 1.20.0
    webp: 1.2.1
    x265: 3.4_2
    xauth: 1.1
    xkeyboard-config: 2.34
    xorg-fonts-truetype: 7.7_1
    xvid: 1.3.7,1

Number of packages to be installed: 106

The process will require 827 MiB more space.

Proceed with this action? [y/N]: y
[1/106] Installing fontconfig-2.13.94_1,1...
[1/106] Extracting fontconfig-2.13.94_1,1:   0%
pkg: Fail to create /usr/local/share/licenses/fontconfig-2.13.94_1,1:Read-only file system
[1/106] Extracting fontconfig-2.13.94_1,1: 100%
```


----------



## T-Daemon (Feb 14, 2022)

From host:

```
# zfs set readonly=off zroot/jails/firefox/root
```


----------



## john_rambo (Feb 14, 2022)

```
# jail -c firefox
firefox: created
root@home:/home/home # Error: cannot open display: :0.0
```

So I repeated

```
# xhost +

access control disabled, clients can connect from any host
```

But same error.


----------



## T-Daemon (Feb 14, 2022)

Have you mounted the hosts X  unix socket to the jail?

```
# mount_nullfs /tmp/.X11-unix /zroot/jails/firefox/root/tmp/.X11-unix
```


----------



## john_rambo (Feb 14, 2022)

T-Daemon said:


> Have you mounted the hosts X unix socket to the jail?
> 
> 
> 
> ...



Now Firefox is launching but web pages are not loading.


----------



## T-Daemon (Feb 14, 2022)

In /etc/rc.conf:

```
cloned_interfaces="lo1"

#delete ifconfig_lo1_aliases="10.0.0.1-6/29", set

ipv4_addrs_lo1="10.0.0.1-6/29"
```


----------



## john_rambo (Feb 14, 2022)

T-Daemon said:


> In /etc/rc.conf:
> 
> ```
> cloned_interfaces="lo1"
> ...




```
hostname="home"
ifconfig_re0="DHCP"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
kld_list="i915kms"
pf_enable="YES"
ntpdate_enable="YES"
ntpdate_hosts="asia.pool.ntp.org"
cloned_interfaces=lo1
##ifconfig_lo1_aliases="10.0.0.1-6/29"

ipv4_addrs_lo1="10.0.0.1-6/29"
```

Still webpages are not loading


----------



## T-Daemon (Feb 14, 2022)

Have you restarted the hosts netif service?

```
# service netif restart
```


----------



## john_rambo (Feb 14, 2022)

Finally its working ! Which commands will have to enter after each boot ?
Also, is there a way to copy my existing .mozilla folder to the Jail ?


----------



## T-Daemon (Feb 14, 2022)

john_rambo said:


> Which commands will have to enter after each boot ?


Following will suffice:

```
# mount_nullfs /tmp/.X11-unix  /zroot/jails/firefox/root/tmp/.X11-unix

# xhost +
```



john_rambo said:


> Also, is there a way to copy my existing .mozilla folder to the Jail ?


Sure, just `cp -r .mozilla` host to jail/firefox user and `chown -R firefox:firefox jail/firefox/.mozilla`.

Also have a look at the chapter "A few gotchas for maintainance" in the wiki, especially about updating the system.

Previously the file system was set to read/write, revert to read-only, after system update:

```
# zfs set readonly=on zroot/jails/firefox/root
```


----------



## john_rambo (Feb 15, 2022)

T-Daemon said:


> Following will suffice:
> 
> ```
> # mount_nullfs /tmp/.X11-unix  /zroot/jails/firefox/root/tmp/.X11-unix
> ...


Old profile successfully copied to jail.
About maintanance I did jexec -l firefox then freebsd-update fetch and pkg update/pkg upgrade. After the process complete I set the filesystem of the Jail to read only again.

I will start using the jailed Firefox from today & see if I face any issues. In case of any complications I will write back here.

Thanks a lot.


----------



## john_rambo (Feb 15, 2022)

T-Daemon
I use multiple profiles of Firefox. I had edited the Firefox launcher and made the exec line look like this


```
Exec=firefox -P
```

Suppose I am working on the profile named Work and I want to use the profile Social all I do is click on the (edited) Firefox icon and a Profile Selector window appears and I select Social.

How do I do this for the Firefox which is running inside this Jail ?

At the moment I am closing FF which is terminating the jail automatically and then I then starting the jail again which is launching the Profile Selector.

Problem is while using a specific profile I cant launch another profile.


----------



## grahamperrin@ (Feb 15, 2022)

john_rambo said:


> … for the Firefox which is running inside this Jail ? …



I guess that for this, you need not think about jailing. Simply: 

about:profiles
aim
click *Launch profile in new browser*


----------



## T-Daemon (Feb 15, 2022)

john_rambo said:


> Problem is while using a specific profile I cant launch another profile.


You can launch another Firefox session in the same jail using jexec(8):


```
NAME
     jexec – execute a command inside an existing jail

SYNOPSIS
     jexec [-l] [-u username | -U username] jail [command ...]
```

Execute from jailed environment as user 'firefox', inside jail 'firefox', command 'firefox -P <profile>':

```
# jexec -U firefox firefox firefox -P Social
```

This can be wrapped on the host in a script, combined with sudo/doas/super to be executable as normal user, saved in a users  ~/bin directory, executed from command line or clickable Firefox icon, menu item, etc.


----------



## grahamperrin@ (Feb 15, 2022)

Also, you might like Open With. 

I have it set to work with a number of profiles and configurations:


----------



## T-Daemon (Feb 15, 2022)

john_rambo said:


> Which commands will have to enter after each boot ?





T-Daemon said:


> Following will suffice:
> 
> ```
> # mount_nullfs /tmp/.X11-unix /zroot/jails/firefox/root/tmp/.X11-unix
> ```



I see in the wiki that can be automated as well:

```
A few gotchas for maintenance
   ...
   3. The X unit socket will have to be re-mounted after reboot, ZFS datasets are mounted automatically.
      An exec.prestart could be added to the jail's config (jail.conf):
      
exec.prestart = "mount | grep ' on /zroot/jails/${name}/root/tmp/.X11-unix` || mount_nullfs /tmp/.X11-unix /zroot/jails/${name}/root/tmp/.X11-unix"
```

Remains `xhost +` executed only.


----------



## john_rambo (Feb 19, 2022)

T-Daemon
Every time I want to launch the Firefox inside Jail I need to use `su` and then run
`jail -c firefox` which starts the jail with the default profile and then in order to launch the Firefox Profile Chooser window I do
`jexec -U firefox firefox firefox -P`.

*I want to create an icon on the desktop clicking on which will launch the Profile Chooser window of Firefox running inside this jail without using  su. How do I do that ?*

Note(1): The command jexec -U firefox firefox firefox -P only works after using the jail -c firefox command. Otherwise it complains that the jail is not running.

Note(2): I have not installed or configured `sudo`. When I need root privileges I use `su`.


----------



## john_rambo (Feb 19, 2022)

T-Daemon 
While using this jailed Firefox whenever I want to download a file or even save a jpg image the Firefox window just vanishes instantly with the following error 


```
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Segmentation fault
```

Q1) The official guide says to make the jail read only. This is for security, right ? So do you have any tricks about what I can do when I want to download a file ? Any temporary measure I can take ? After the download is finished I will revert it back to read only.

Q2) I do understand that Jails have their own separate base and its isolated from the host so my plan is to copy downloaded files from the jail's filesystem to host's /home/username/. Is this possible ?


----------



## grahamperrin@ (Feb 19, 2022)

john_rambo said:


> … jail read only … any tricks about what I can do when I want to download a file ? …



tmpfs(5), maybe?


Jails aside, I do often download to my 

`tmpfs on /tmp (tmpfs, local)`


----------



## john_rambo (Feb 19, 2022)

grahamperrin
I read that man page but how to implement that in a Jail frankly I have no idea.


----------



## grahamperrin@ (Feb 19, 2022)

One of these, maybe? In no particular order:

<https://serverfault.com/a/678708/91969>
<https://github.com/sebcat/small-freebsd-jails#nullfs-tmpfs>
<https://forums.freebsd.org/threads/47691/> post 5 in particular
<https://forums.freebsd.org/threads/62192/>
All via <https://www.google.com/search?q=tmpfs+jail+FreeBSD&tbs=li:1#unfucked>


----------



## john_rambo (Feb 19, 2022)

grahamperrin 
The thing is I am not really sure if tmpfs is needed for this. My reasoning is if you read this post I was able to copy my Firefox profile (.mozilla) from the host to the jail. So if that's possible the opposite should be possible too. I mean once the download is complete I open a terminal `cd` into the jail's Downloads folder and copy the file to the host.


----------



## grahamperrin@ (Feb 19, 2022)

john_rambo said:


> … I was able to copy my Firefox profile (.mozilla) from the host to the jail. …



Understood, thanks, however (please correct me if I'm wrong) that was with a jail *not* read-only.

In the jail: is your preference to always save to a preset path, or always ask?



If preset: what's the path?

(To help understand the segmentation fault.)


----------



## john_rambo (Feb 19, 2022)

grahamperrin said:


> Understood, thanks, however (please correct me if I'm wrong) that was with a jail *not* read-only.
> 
> In the jail: is your preference to always save to a preset path, or always ask?
> 
> ...


No path is set. Its "Always ask you where to save files". I tried changing it to ~/Downloads and just as an experiment as soon as I tried saving the image you attached Firefox vanished like before.

Note : When I press CTRL+O same thing happens. Firefox just disappears.


----------



## T-Daemon (Feb 19, 2022)

john_rambo said:


> Every time I want to launch the Firefox inside Jail I need to use `su` and then run
> `jail -c firefox` which starts the jail with the default profile and then in order to launch the Firefox Profile Chooser window I do
> `jexec -U firefox firefox firefox -P`.
> 
> *I want to create an icon on the desktop clicking on which will launch the Profile Chooser window of Firefox running inside this jail without using  su. How do I do that ?*



Install security/doas, edit /usr/local/etc/doas.conf

```
permit nopass <user name> as root cmd jail
```

In host users home directory, create ~/bin dir, create file, e.g. startjailfirefox:

```
#!/bin/sh

xhost +
doas jail -c firefox
```

Make script executable:

```
# chmod 700 startjailfirefox
```

Edit /zroot/jails/firefox/root/home/firefox/run-firefox, add '-P' option

```
/usr/local/bin/firefox -P > /dev/null &
```

For launcher (icon) on desktop search in your DE's/WM's documentation, point the execution of the program (shell script in this case) to ~/bin/startjailfirefox.





john_rambo said:


> While using this jailed Firefox whenever I want to download a file or even save a jpg image the Firefox window just vanishes instantly with the following error


Apparently pixel buffers from icon themes are not rendered/cached, I don't know exactly. Because of this error Firefox core dumps. In user firefox's home you might find a more or less big core file.

Reinstalling following package should correct. Execute from host:

```
# pkg -c /zroot/jails/firefox/root install -f gdk-pixbuf2
```



john_rambo said:


> Q1) The official guide says to make the jail read only. This is for security, right ? So do you have any tricks about what I can do when I want to download a file ? Any temporary measure I can take ? After the download is finished I will revert it back to read only.


Only the jails root dataset is read only. The jails home dataset and following automatically created directory and sub-directory firefox/Downloads are writable:

```
# zfs get -r readonly zroot/jails/firefox
NAME                      PROPERTY  VALUE   SOURCE
zroot/jails/firefox       readonly  off     default
zroot/jails/firefox/home  readonly  off     default
zroot/jails/firefox/root  readonly  on      local
zroot/jails/firefox/tmp   readonly  off     default
zroot/jails/firefox/var   readonly  off     default
```



john_rambo said:


> Q2) I do understand that Jails have their own separate base and its isolated from the host so my plan is to copy downloaded files from the jail's filesystem to host's /home/username/. Is this possible ?


Yes. One possible solution:

Example setup (host):

```
# zfs create zroot/jails/Shared
# zfs set setuid=off exec=off zroot/jails/Shared

# mkdir /zroot/jails/firefox/root/home/Shared
# chmod 777 /zroot/jails/firefox/root/home/Shared
```

Host /etc/jail.conf

```
firefox {
         ...
         exec.prestart = "mount | grep home/Shared || mount_nullfs /zroot/jails/Shared /zroot/jails/${name}/root/home/Shared";
         ...
```

Start jail, set in Firefox setting "Save files to /home/Shared".

Make of the /zroot/jails/Shared directory a symbolic link in the host users directory where the jail has been started, a bookmark/shortcut in a file browser, etc.


----------



## john_rambo (Feb 20, 2022)

T-Daemon
All issues solved leaving the shared folder but I want solve that after sometime.

This is the list of commands needed for jailing Firefox. Can you please have look and tell me if I have missed anything ?


```
zfs create -o compress=lz4 -o atime=off zroot/jails
zfs create zroot/jails/basejail
fetch https://download.freebsd.org/releases/amd64/13.0-RELEASE/base.txz ; tar xf base.txz -C /zroot/jails/basejail
env PAGER=cat freebsd-update -b /zroot/jails/basejail fetch install
Configure inside jail /etc/resolv.conf
zfs snapshot zroot/jails/basejail@latest
zfs create zroot/jails/firefox
zfs clone zroot/jails/basejail@latest zroot/jails/firefox/root
zfs create zroot/jails/firefox/var
zfs create zroot/jails/firefox/tmp
zfs create zroot/jails/firefox/home
rsync -a /zroot/jails/firefox/root/var/ /zroot/jails/firefox/var/
zfs set mountpoint=/zroot/jails/firefox/root/var zroot/jails/firefox/var
zfs set mountpoint=/zroot/jails/firefox/root/tmp zroot/jails/firefox/tmp
zfs set mountpoint=/zroot/jails/firefox/root/usr/home zroot/jails/firefox/home
zfs set setuid=off exec=off zroot/jails/firefox/var
zfs set setuid=off exec=off zroot/jails/firefox/tmp
zfs set setuid=off exec=off zroot/jails/firefox/home
pkg -c /zroot/jails/firefox/root install firefox xauth liberation-fonts-ttf
pkg -c /zroot/jails/firefox/root install -f gdk-pixbuf2


### ON HOST

/etc/jail.conf

allow.nomount;
exec.clean;
mount.devfs;
host.hostname = "$name.your-host-name.lan";
path = "/zroot/jails/${name}/root";
#securelevel = 3;

firefox {
    ip4.addr = "10.0.0.2";
    #exec.start = "/bin/sh /home/firefox/run-firefox";
    #exec.jail_user = "firefox";
    persist;
    devfs_ruleset = 5;
}




At this point, we comment out the exec. directives, and uncomment the persist directive because we want to get inside the jail with no processes running, to bootstrap it. But before we do that, there are two more undefined items here, the devfs ruleset and jail's ip address. So, let's handle those first.

Configure inside jail /etc/resolv.conf













ON HOST
# cat /etc/jail.conf                   
/etc/jail.conf
allow.nomount;
exec.clean;
mount.devfs;
host.hostname = "$name.your-host-name.lan";
path = "/zroot/jails/${name}/root";
#securelevel = 3;

firefox {
    ip4.addr = "10.0.0.2";
    #exec.start = "/bin/sh /home/firefox/run-firefox";
    #exec.jail_user = "firefox";
    persist;
    devfs_ruleset = 5;
}

ON HOST

 # /etc/rc.conf

#
# Among other thigns you set up in rc.conf, the following is minimum required for jail networking.
#
# We use the 10.0.0.0/29 range just as an example for up to 6 jails
#
cloned_interfaces=lo1
ifconfig_lo1_aliases="10.0.0.1-6/29"

# And this to enable pf rules for NAT
pf_enable="YES"
pf_rules="/etc/pf.conf"
ON HOST

# /etc/pf.conf

extif = "re0"
intif = "lo1"
set skip on lo
set state-policy if-bound
nat on $extif inet from ($intif) to ! ($intif) -> ($extif)
block all
pass out proto { tcp udp } to port { 53 80 443 995 6697 123 }
pass out inet proto icmp icmp-type { echoreq }








ON HOST

# /etc/devfs.rules

[devfsrules_desktop_jail=5]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path 'mixer*' unhide
add path 'dsp*' unhide


# Start the jail
jail -c firefox

# jexec into it (the commands listed here after this are done inside the jail)
jexec -l firefox

# First, create a user for firefox (note the exec.jail_user = "firefox" in the jail.conf, so that's the user)
pw useradd firefox -w random -m

# Write out the "init" script (note the exec.start path in jail.conf, so that's the init script)
cat << EOF > /home/firefox/run-firefox
#!/bin/sh

export DISPLAY=:0.0
/usr/local/bin/firefox > /dev/null &
EOF

# We did all this as root, so:
chown firefox:firefox /home/firefox/run-firefox
chmod u+x /home/firefox/run-firefox

# Prepare the mountpoint for host's X unix socket
mkdir /tmp/.X11-unix
chmod 777 /tmp/.X11-unix

# Done!
Exit
We stop the jail with jail -r firefox, uncomment the exec. bits from jail.conf, comment the persist bit, and the jail is almost ready to run.





ON HOST
Allow jails to talk to xorg
xhost +

# Mount the host's X unix socket into the jail
mount_nullfs /tmp/.X11-unix /zroot/jails/firefox/root/tmp/.X11-unix

# And finally make the jail's root readonly:
zfs set readonly=on zroot/jails/firefox/root

We start firefox by starting the jail itself:
Toggle line numbers
jail -c firefox

ON HOST

Install security/doas, edit /usr/local/etc/doas.conf

permit nopass <user name> as root cmd jail

ON HOST

In host users home directory, create ~/bin dir, create file, e.g. startjailfirefox

#!/bin/sh

xhost +
doas jail -c firefox

Make script executable

# chmod 700 startjailfirefox

ON HOST

Edit /zroot/jails/firefox/root/home/firefox/run-firefox, add '-P' option

For launcher (icon) on desktop search in your DE's/WM's documentation, point the execution of the program (shell script in this case) to ~/bin/startjailfirefox
## Update Jail
freebsd-update -b /zroot/jails/basejail fetch install
```


----------



## T-Daemon (Feb 20, 2022)

Looks good, only


john_rambo said:


> cloned_interfaces=lo1
> ifconfig_lo1_aliases="10.0.0.1-6/29"


should be

```
ipv4_addrs_lo1="10.0.0.1-6/29"
```

and


john_rambo said:


> export DISPLAY=:0.0
> /usr/local/bin/firefox > /dev/null &


should be

```
/usr/local/bin/firefox -P > /dev/null &
```


----------



## john_rambo (Feb 23, 2022)

T-Daemon
I have applied the arkenfox custom user.js in one of my Firefox profiles. The arkenfox user.js uses a script called updater.sh for updating the script. When I cd into the Firefox's profile folder which is inside the Jail I am getting

```
$ pwd
/zroot/jails/firefox/root/home/firefox/.mozilla/firefox/hpd0xx49.default-release
```


```
$ ./updater.sh
sh: ./updater.sh: Permission denied
```

How do I run this script ?


----------



## T-Daemon (Feb 23, 2022)

john_rambo said:


> `sh: ./updater.sh: Permission denied`


Allow execution of the script (chmod(1)), and `chmod 777 /zroot/jails/firefox/root/tmp` .


----------



## john_rambo (Feb 24, 2022)

T-Daemon said:


> Allow execution of the script (chmod(1)), and `chmod 777 /zroot/jails/firefox/root/tmp` .


Okay, but I before I do that what's the command which will undo what chmod 777 does ? After running that script I want to put the Jail back to its original state.


----------



## T-Daemon (Feb 24, 2022)

john_rambo said:


> what's the command which will undo what chmod 777 does ?


`chmod 755 ...`


----------



## john_rambo (Feb 25, 2022)

T-Daemon 
Did `chmod 777 /zroot/jails/firefox/root/tmp` but still getting *Permission denied*.


----------



## T-Daemon (Feb 25, 2022)

Four requirements must match to make the script run cleanly:

Execution permission for updater.sh (`chmod 700 updater.sh`)
Jails /tmp directory must have write permission for 'others' (updater.sh is creating some temporary files there).
`# chmod 757 /zroot/jails/firefox/root/tmp`   (or `chmod 777`)
The jail must be running, start jail 'firefox'.
The script must be executed inside jails chroot environment.
    On host, as root, chroot as user 'firefox', into user 'firefox's home directory, into jail 'firefox':
`# jexec -l -U firefox firefox`
Execute script, exit chroot, revoke jails /tmp directory's write permissions (`chmod 755`).

Alternatively to point #4, place updater.sh in /zroot/jails/firefox/root/home/firefox/bin, run on host as root
`# jexec -U firefox firefox updater.sh`. Make sure the permission is set to execute and owner:group is firefox:firefox.


----------



## john_rambo (Feb 27, 2022)

T-Daemon
I don't what what went wrong. Now can't even install addons.

Making it read only off has no effect. 
	
	



```
zfs set readonly=on zroot/jails/firefox/root
```

At first I thought the mozilla addon server is down but then I launched the Firefox which is installed on the host. I was able to install addons normally.


----------



## T-Daemon (Feb 27, 2022)

john_rambo said:


> Making it read only off has no effect.
> 
> ```
> zfs set readonly=on zroot/jails/firefox/root
> ```


Here `readonly=on|off` has only effect on `zroot/jails/firefox/root`, not on `zroot/jails/firefox/home` where the 'firefox' users home resides.



T-Daemon said:


> Only the jails root dataset is read only. The jails home dataset and following automatically created directory and sub-directory firefox/Downloads are writable:
> 
> ```
> # zfs get -r readonly zroot/jails/firefox
> ...



You may have connection, not write permission problems. Check the connection from the jail. Do normal internet pages load?


----------



## john_rambo (Feb 27, 2022)

T-Daemon said:


> Here `readonly=on|off` has only effect on `zroot/jails/firefox/root`, not on `zroot/jails/firefox/home` where the 'firefox' users home resides.
> You may have connection, not write permission problems. Check the connection from the jail. Do normal internet pages load?


Yes all the pages like Youtube, Facebook, etc are loading fine. 
When I try to download any file this happens. So there's definitely some permission issues.


----------



## john_rambo (Feb 28, 2022)

T-Daemon
I have 3 Firefox profiles. I just found that this permission issue is happening in 2 profiles out of 3. I can install addons on 1 profile as usual.

I tried


```
# jexec -l firefox
```


```
# chown -R firefox:firefox /usr/home/firefox/
```

but still cant install addons on download any file on the above mentioned one profile.

I am sure this a simple permission issue.


----------



## T-Daemon (Feb 28, 2022)

Check the search bit ('x', see chmod(1)) of the directories from the profile in question. chroot(8) to 'firefox' user of jail 'firefox':

```
host # jexec -l -U firefox firefox

jail $ ls -lR .mozilla/firefox/<profile> | grep ^d
```

All directories of the owner should be `drwx...`. Sample:

```
drwxr-xr-x  2  firefox  firefox  ...
```


----------



## john_rambo (Feb 28, 2022)

T-Daemon 
This is current permission of the problematic profile >> Click here
The output is too large for this forum.


----------



## T-Daemon (Feb 28, 2022)

Permissions look good. Was the addon installation and file download issue present from the beginning with those profiles or did it happened after some time?

Not sure what to suggest further, maybe update www/firefox to latest version available from repository and try the following recommendations:




__





						What to do if you can't download or save files | Firefox Help
					

If you can't download or save files with Firefox, this article explains the steps to take to fix this problem.




					support.mozilla.org
				







__





						Unable to install add-ons (extensions or themes) | Firefox Help
					

This article describes various reasons that would cause an add-on not to be able to be installed and what you can do to fix the issue.




					support.mozilla.org
				




In case of addons you could try saving the addon to file (*.xpi, right click on "Add to Firefox" button, save to file), then install from file in `about:addons`


----------



## john_rambo (Mar 1, 2022)

T-Daemon said:


> Was the addon installation and file download issue present from the beginning with those profiles or did it happened after some time?


It happened after sometime. Frankly speaking this is disappointing. Creating this Jail wasn't easy. All credit does to you.
Q) Running Firefox inside a Jail Vs Running Firefox inside a Virtualbox VM ..... Why provides more isolation ?
Host : FreeBSD
VM : FreeBSD / Linux


----------



## T-Daemon (Mar 1, 2022)

john_rambo said:


> Frankly speaking this is disappointing. Creating this Jail wasn't easy.


It's hard to tell where the problem exactly lies, but the indication that 1 of 3 profiles has no problems, I would say, puts the blame on the Firefox profile, not the jail.

I've tested the jail (in a VirtualBox VM) and have no problems whatsoever regarding saving files and installing addons.



john_rambo said:


> Q) Running Firefox inside a Jail Vs Running Firefox inside a Virtualbox VM ..... Why provides more isolation ?


Looking at the vulnerability lists of both systems, in all good conscious, I can't speak for one system or the other.
VirtualBox:





						Oracle Vm Virtualbox : List of security vulnerabilities
					

Security vulnerabilities of Oracle Vm Virtualbox : List of all related CVE security vulnerabilities. 			CVSS Scores, vulnerability details and links to full CVE details and references.



					www.cvedetails.com
				



Search for 'jail':




__





						Freebsd Freebsd : List of security vulnerabilities
					

Security vulnerabilities of Freebsd Freebsd : List of all related CVE security vulnerabilities. 			CVSS Scores, vulnerability details and links to full CVE details and references.



					www.cvedetails.com
				



and recently:




__





						262179 – Prevent jail escaping via shared nullfs; option to disable UNIX domain socket binding
					






					bugs.freebsd.org
				







__





						262180 – jail escaping via jail-friendly nullfs
					






					bugs.freebsd.org


----------



## john_rambo (Mar 1, 2022)

T-Daemon said:


> Looking at the vulnerability lists of both systems, in all good conscious, I can't speak for one system or the other.


That's extremely depressing. What's the best way to keep personal data isolated ? So that be it a OS level vulnerability or a browser exploit my personal data is safe ?


----------



## T-Daemon (Mar 1, 2022)

john_rambo said:


> What's the best way to keep personal data isolated ?


What kind of personal data?


----------



## john_rambo (Mar 2, 2022)

T-Daemon said:


> What kind of personal data?


By personal data I mean everything that I have stored locally like family photos, songs, videos, my KeePassXC database, etc.

Edit: I just moved the .mozilla folder from the jail to the host's home, ran the update.sh script and then moved it back to the jail. This is not ideal but doable.


----------



## T-Daemon (Mar 3, 2022)

There is no 100% safety from exploits on computers. You can secure a system as much as you want there will be always a way to circumvent the security.

I'm no expert on this topic, but if I where concerned of the security of personal data, to minimize the surface for exploits, I would full disk encrypt the system to make it inaccessible when the machine is powered down.

When the machine is powered up, I would isolate the personal data in an encrypted container, mount it as necessary.

On FreeBSD geli(8) from system base is available, with OpenZFS encrypted datasets can be created, third party utilities are sysutils/pefs-kmod and security/veracrypt.


----------

