Securing untrusted applications on server with firejail, accessing them through ssh

It is realtively easy to secure an untrusted application using firejail not to use internet and see specified directories.
The application can be run securely executed on the server no problem.
However when I try to access the application through ssh it will obviously not launch as the tcp/ip connection from the client through ssh will be rejected.

Anybody know how I can configure firejail to accept/use connections only from my local network behind a firewall rejecting all other.ip addresses including obviously connections to wan.
In short, I want to supply firejail with only the network say as the only 254 addresses that can be received from and sent to, no other addresses allowed.

I cannot seem to figure out how this can be done.


Try using lxd or docker to isolate untrusted data and app.

Lxd and Docker are entire virtual machines. Sure it will work, but that is too much overhead to just redirect/restrict tcp/ip and directory access of an application.
If there is no other way, then I will use that.
Firejail is nice and lightweight and scriptable. It would be great just to have it redirect all tcpip to the local network only for a specific application, so I can access the application with ssh and have an extra layer of protection for access from other machines/networks.
Whether it can do it, is the question.

LXD and Docker are container and not full VM. VM offers full hardware emulation. So VM have more overheads.