How to Restrict Internet Access to a Single Program on Arch Linux with Firejail

Sometimes, we may need to restrict the internet access to a single application both for security reasons or testing purposes.

On Linux, there are different ways to restrict the internet access to a single program. Unfortunately, most of them, are not straightforward at all.

Firejail Sandbox Tool

A couple of days ago, I was searching for a simple way to do this job. Hopefully, as easy as it happens on Windows using the built-in firewall.

Luckily, I found an interesting and easy to use sandbox tool. It’s called Firejail and it helped me to do the job without putting my hands into the firewall:

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

[…]

The software includes sandbox profiles for a number of more common Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.

After reading this, you can easily imagine how powerful can be this program. But, despite its complexity, it can restrict the internet access to any kind of linux process with a single command.

How to install Firejail on Arch Linux

Let’s see how to install Firejail on Arch Linux. Since Firejail is included into the official repositories, we can just install the program using pacman:

$ sudo pacman -Sy firejail

Using Firejail to restrict the Internet Access to a single Program

In order to deny the internet access to the target program we can just run the firejail command followed by the --net=none option and the program we want to sandbox:

$ firejail --net=none <program name>

That’s all!

Firejail is a great sandbox tool capable of doing a lot of interesting things, so I invite you to take a look to the Arch Linux wiki and the project’s page to learn more about this interesting and useful security program.