Simple bandwidth shaping in Linux with firejail

Network bandwidth shaping or traffic shaping is extensively used for efficient use of available network bandwidth and fairer bandwidth sharing.

Most common use of bandwidth shaping in Linux desktop is fair bandwidth sharing among different application, assume your torrent client is eating all download speed while browsing something important. For servers, it’s a lot more complex and important subject.

Surely firejail is not the best tool for this purpose, there are other utilities like iptables and tc token bucket filter. But why not use the handy firejail tool ?

For new comers, firejail is an extremely lightweight tool for isolating one/many application from the rest of the system, more straightly a sandbox application, read more about sandboxing apps with firejail here. So using fireail for traffic shaping adds an extra layer of security. Lets start !


 1. Start the applications with firejail

The first step is to launch one or more desired application in a fireail sandbox environment with network handling capability. Use the –net= switch while launching the app, examples bellow

 firejail  --net=enp2s0 firefox 
 firejail  --net=enp2s0 transmission-qt 

Don’t forget to use the correct interface name, replace the enp2s0 with a proper one which matches your system, like eth0  . Currently this works only on ethernet and wi-fi network interfaces only, not works on virtual interfaces like ppp0 and wwan0 for 3G/4G mobile broadband network .


 2. Get the PID of sandboxed applications

Next step is to get the PID, i.e. the process ID of the sandbox, not the PID of the application. It’s fairly easy to get them, run few commands or use some GUI application like ksysguard or lxtask.

firejail --list | grep 'firefox' | awk -F: '{print$1}'

firejail --list | grep 'transmission-qt' | awk -F: '{print$1}' 


3. Set the bandwidth limit per application

Finally set the bandwidth limit to the desired application, use the commands bellow, first the general procedure

 firejail  --bandwidth=PID set interface-name down-speed up-speed 

PID is the process ID of the sandbox application, interface-name is the name of the interface where you are going to shape the traffic, down-speed is maximum download speed and up-speed is maximum u[load speed. Example bellow

 firejail --bandwidth=11372 set  enp2s0 250 100 

Just make sure you are using the correct PID of the sandbox.


4. Some extra functionality with firejail

Firejail not only shapes the traffic, it could be also used to set different DNS servers for different application, a different default gateway etc. etc.

To start an application with different DNS server, look at the command bellow

 firejail --dns= --dns= firefox 

The command at above will start firefox with DNS servers and without changing the whole system DNS server.

Use a different default gateway for different applications. Assume you want to run a application which could see only a specific network interface and a specific default gateway. For that, use the –net= and –defaultgw= command line switches.

 firejail --net=wlp3s0 --defaultgw= smtube 

The command above will launch the flash free youtube browser app SMTube binding only wi-fi network interface with default gateway .


So firejail is pretty versatile tool for traffic shaping and other network related hacks, it’s pretty straight forward too. If you have any suggestion or question just feel free and leave a comment, we’ll be happy to listen from you. Also don’t forget to share this with your friends.

Leave a Reply

Your email address will not be published. Required fields are marked *