No jail support in 2.4
-
Can you develop ?
What jail support ?2.4 is very old. It's 2.4.4-p2 these days.
-
Hi
I'm running the newest, 2.4.4-RELEASE-p2 and by jail support I mean, to support jails you need to enable it when you build FreeBSD. For instance, the jail and jls commands aren't there and the kernel probably isn't compiled with support either.
-
https://old.reddit.com/r/PFSENSE/comments/a9mws2/psa_24x_removes_jail_support/ecl2uku/
-
Thanks for the details.
You are probably right : See what Google can tell you : pfsense jail support jls
Btw : pfSense is a firewall. Jail support adds a massive load (size for one matter) on the kernel.
edit : @Grimson also uses Google ...
-
@Grimson Thanks for the link, confirms that it's probably never coming.
@Gertjan Massive load, here I assume you mean disk and memory. My SG-3100 has 5.6G free disk space and 1259M free memory.
A simple jail without any packages installed would take ~275mb of disk, and in my case, would only run 3 services, syslogd, sshd and cron.I'm not saying you should run alot of services on your firewall, but simple ones would be quite ideal. In my case, I would like to SSH into the router from the internet, which is a bad idea, so of course with some 2FA. Here a jail would be perfect because it can be seperated from the base OS, so your 2FA pam additions wouldn't go in an upgrade. Further, you could also control its network access.
Without jail support I have to setup another machine for this purpose. It will probably be a RPI, but stability on those microsd cards is bad, and, well, it's just another device to maintain. Running it in a jail on the netgate device would have been a much more elegant solution
-
@tlt3cms said in No jail support in 2.4:
I'm not saying you should run alot of services on your firewall, but simple ones would be quite ideal.
No, even simple ones are a really stupid idea. Keep your firewall a firewall.
It will probably be a RPI, but stability on those microsd cards is bad, and, well, it's just another device to maintain.
Then boot from USB: https://www.raspberrypi.org/documentation/hardware/raspberrypi/bootmodes/msd.md
-
I disagree. You even see alot of suggestions on running pfsense on a hypervisor. This is not that different from that.
Boot from USB is a good suggestion. But still, another device.
-
@tlt3cms said in No jail support in 2.4:
I disagree. You even see alot of suggestions on running pfsense on a hypervisor. This is not that different from that.
There is a major difference between running pfSense as an isolated VM client and it being the host for something. If you don't understand that you seriously need to brush up your knowledge.
-
I was thinking about security in an isolation sense.
As in, what would i trust more. The isolation between a hypervisor and it's VM's, and the FreeBSD kernel and it's jails. In this regard I would trust jail security enough to run a service.
-
You can look at Bhyve, however as pointed out you want your Firewall to have a minimal threat surface area.
I would like to SSH into the router from the internet, which is a bad idea, so of course with some 2FA
Sure, you can use a VPN for this; OpenVPN is 2 factor out of the box. You have your client certificate, with your username and password.
-
@chrismacmahon said in No jail support in 2.4:
Sure, you can use a VPN for this; OpenVPN is 2 factor out of the box. You have your client certificate, with your username and password.
I would rather trust the security of OpenSSH than OpenVPN.
-
With a hypervisor, if someone breaks a VM, then just the VM is broken. Others are properly isolated.
With a jail on the firewall, if someone breaks out of the jail, then your entire firewall and everything on it and behind it are compromised.
Do not use your firewall to host jails/VMs. Using the firewall under a separate hypervisor is fine, but the firewall itself should not be the VM/jail host.
If you must run a service on the firewall, against all recommendations, then look into bhyve.
-
@jimp said in No jail support in 2.4:
With a jail on the firewall, if someone breaks out of the jail, then your entire firewall and everything on it and behind it are compromised.
The same can be said about the hypervisor and vm
-
@tlt3cms said in No jail support in 2.4:
The same can be said about the hypervisor and vm
True, but hypervisor break-outs are rare, jail break-outs are not.
-
Really? By my understanding jail security is pretty good and escapes are pretty rare.
-
@tlt3cms said in No jail support in 2.4:
Really? By my understanding jail security is pretty good and escapes are pretty rare.
There are several historical examples around from years past. Better these days, but the docs still carry a significant warning: https://www.freebsd.org/doc/handbook/jails.html (bottom of the page, giant red warning box)
I am not willing to take that chance with the firewall being the host.
-
The warning pertains mostly to to access from the host to the jail. Not really relevant here.
-
@tlt3cms said in No jail support in 2.4:
The warning pertains mostly to to access from the host to the jail. Not really relevant here.
Then you didn't understand the warning.
-
Dude, just give it up already. You have been given the answer. You're not getting jails on pfSense.
-
@jimp said in No jail support in 2.4:
@tlt3cms said in No jail support in 2.4:
The warning pertains mostly to to access from the host to the jail. Not really relevant here.
Then you didn't understand the warning.
I'm not following you here? It says:
"Jails are a powerful tool, but they are not a security panacea." Very few things would be a security panacea, so this warning is a general one.
The rest of the warning pertains to host-to-jail security.
@kom said in No jail support in 2.4:
Dude, just give it up already. You have been given the answer. You're not getting jails on pfSense.
Whats up with the hostility? I'm not asking for jail support here, the conversation went on to why it's not supported, while running pfsense on a hypervisor is and even suggested. If you aren't interested in that subject then feel free to ignore this thread.
