Just a few questions

[svc88]

I started off using many of my hours analyzing the way this guy did it from https://www.void.gr/kargig/blog/2016/12/12/firejail-with-tor-howto/

But theres 3 questions i have about this.

1. I couldnt understand the last cmd he posted:
   iptables -t nat -A PREROUTING -i tornet -p tcp -m tcp --dport 9050 -j DNAT --to-destination 127.0.0.1:9050
   This is for Applications supporting SOCKS5, Im not sure why this traffic needs to be redirected if we have already created a separate SOCKS5 proxy 127.0.0.1:9040 ??
   How could apps that support SOCKS5 still connect through the bridge?

2. I did a lot of tests, and it seems that if you run for example xterm in firejail using that bridge, if you decide to stop the tor service, and if the app (in this case xterm) is malicious and isnt able to connect to their servers (you can still ping from the jail by the way), it can try to ping their own servers, and they could analyze with tcpdump on their end where the ping is coming from. The ping reveals the users REAL IP address. I have tried to block icmp to/from the bridge tornet using iptables, but the jail STILL is able to ping outside, even though there is no resolving of any kind.
   Does anyone know why this happens here?
   How is orjail different from this? Does it block icmp and any connectivity in the namespace when TOR service is stopped?

3. How is creating a network namespace different from a bridge when being used with TOR and firejail?

Thank you in advance

[phantomcraft]

3 - Firejail creates a network namespace when a bridge is used with it, the difference is that the firejail netns is a unnamed network namespace.