Warning: networking feature is disabled in Firejail configuration file

Without networking a web browser isn't of much use obviously. Did you disable networking in /etc/firejail/firejail.config?

No, it's a fresh install. It failed on the first try.

Thanks for clearing that up. I did notice that Ubuntu packages that /etc/firejail/firejail.config file with two options changed to non-default settings: 'cgroup no' and restricted-network yes. The latter restricts using the netfilter option to root, so your regular user will not be allowed to use it, even though it is enabled in /etc/firejail/firefox-common.profile. Personally I don't know exactly why it is like that on your OS, I'll have to contact our Debian expert for his input. For now you can comment that option and check if it improves things.

@reinerh Can you make anything out of this?

Yes, the two features are disabled by default in Debian (and therefore also Ubuntu), as it's more secure to keep them disabled (they can be used to circumvent other system-wide restrictions, e.g. packetfilters).
See also https://bugs.debian.org/916920

Having restricted-network on only means that the user can't for example set a custom packet filter.
It does not prevent any network connectivity, so this is probably not the reason for firefox not starting.

@reinerh Thanks for explaining, the referenced bug report is very informative. Not that it helps the OP, but I'll try installing Ubuntu 20.04 LTS and see if I can get a clearer view on the issue at hand.

@karoshi42 anything in the journal/syslog?

The only line in the log is starting with audit: SECCOMP....

But I tested with different users and noticed: The error only happens when using a wayland session. If I choose 'GNOME on Xorg' during login, firejail works just as expected. Normally I'm using the plain GNOME session (not the Ubuntu one)

The error only happens when using a wayland session. If I choose 'GNOME on Xorg' during login, firejail works just as expected. Normally I'm using the plain GNOME session (not the Ubuntu one)

Aha, that's important information indeed. What happens when you use the plain GNOME session and start Firefox via MOZ_ENABLE_WAYLAND=1 firejail firefox?

Unfortunately that doesn't help. I also tried to comment out nodbus, because it was mentioned in #3290, but that also didn't work. I'm not quite sure though what @rusty-snake's last comment was about over there.

What @rusty-snake asked for IMO is whether or not you notice any relevant warnings/errors in your systemd journal/syslog at the time you start Firefox. Assuming you're using systemd, open a second terminal window/tab and run journalctl -f, that will keep showing log output. Return to the previous terminal window/tab and just run firejail firefox again and check the log output in the other window/tab.

Ah, sorry for my unclear wording, I meant the last comment in #3290. I already checked the log, which is mostly silent, apart from the aforementioned audit: SECCOMP line.

@karoshi42 which syscall is blocked?

The full line is

SECCOMP auid=1000 uid=1000 gid=1000 ses=3 pid=8592 comm="firefox" exe="/usr/lib/firefox/firefox" sig=31 arch=c000003e syscall=312 compat=0 ip=0x7f0a07d6970d code=0x0

3219

For now you can add seccomp !kcmp.

Yes, that was the reason, thank you!

Only one question: If I add the seccomp line to a firefox.local file in .config, it does not seem to work. Do I have to add more there, or just copy the whole profile from /etc?

You can also add it to /etc/firejail/firefox-common.profile because the next firejail release fix this.