Network only jail

[iddinev]

Hello guys,

I am trying to set up a simple network-only jail to isolate a vpn connection so I manually add/start apps in the jail.
The thing is, I only need a network jail, everything else should remain as is. I am currently using an empty profile + '--net=<my_original_ethernet_interface>' and this seems to work somewhat but I am still picking up a lot of default firejail rules that restrict a multitude of stuff.

I am trying to wrap my head around the documentation and the LLMs are also having a hard time helping me out with the configs.

Could somebody point me to a specific config/config file/doc section that I should focus on?
Any general remarks/suggestions on the topic are also welcome.

Thanks in advance!

[kmk3]

I am trying to set up a simple network-only jail to isolate a vpn connection
so I manually add/start apps in the jail.

Any general remarks/suggestions on the topic are also welcome.

I think vopono can be used for this in general:

• https://github.com/jamesmcm/vopono

At least for creating a network namespace for the vpn.

Maybe that can then be used with firejail --netns=<namespace>.

Not sure about dns in the sandbox/network namespace though.