Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No jail support in 2.4

    Scheduled Pinned Locked Moved General pfSense Questions
    26 Posts 6 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG
      Gertjan
      last edited by

      Can you develop ?
      What jail support ?

      2.4 is very old. It's 2.4.4-p2 these days.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      1 Reply Last reply Reply Quote 0
      • T
        tlt3cms
        last edited by

        Hi

        I'm running the newest, 2.4.4-RELEASE-p2 and by jail support I mean, to support jails you need to enable it when you build FreeBSD. For instance, the jail and jls commands aren't there and the kernel probably isn't compiled with support either.

        1 Reply Last reply Reply Quote 0
        • GrimsonG
          Grimson Banned
          last edited by

          https://old.reddit.com/r/PFSENSE/comments/a9mws2/psa_24x_removes_jail_support/ecl2uku/

          1 Reply Last reply Reply Quote 1
          • GertjanG
            Gertjan
            last edited by Gertjan

            Thanks for the details.

            You are probably right : See what Google can tell you : pfsense jail support jls

            Btw : pfSense is a firewall. Jail support adds a massive load (size for one matter) on the kernel.

            edit : @Grimson also uses Google ... โ˜บ

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 1
            • T
              tlt3cms
              last edited by tlt3cms

              @Grimson Thanks for the link, confirms that it's probably never coming.

              @Gertjan Massive load, here I assume you mean disk and memory. My SG-3100 has 5.6G free disk space and 1259M free memory.
              A simple jail without any packages installed would take ~275mb of disk, and in my case, would only run 3 services, syslogd, sshd and cron.

              I'm not saying you should run alot of services on your firewall, but simple ones would be quite ideal. In my case, I would like to SSH into the router from the internet, which is a bad idea, so of course with some 2FA. Here a jail would be perfect because it can be seperated from the base OS, so your 2FA pam additions wouldn't go in an upgrade. Further, you could also control its network access.

              Without jail support I have to setup another machine for this purpose. It will probably be a RPI, but stability on those microsd cards is bad, and, well, it's just another device to maintain. Running it in a jail on the netgate device would have been a much more elegant solution

              GrimsonG 1 Reply Last reply Reply Quote 0
              • GrimsonG
                Grimson Banned @tlt3cms
                last edited by

                @tlt3cms said in No jail support in 2.4:

                I'm not saying you should run alot of services on your firewall, but simple ones would be quite ideal.

                No, even simple ones are a really stupid idea. Keep your firewall a firewall.

                It will probably be a RPI, but stability on those microsd cards is bad, and, well, it's just another device to maintain.

                Then boot from USB: https://www.raspberrypi.org/documentation/hardware/raspberrypi/bootmodes/msd.md

                1 Reply Last reply Reply Quote 0
                • T
                  tlt3cms
                  last edited by

                  I disagree. You even see alot of suggestions on running pfsense on a hypervisor. This is not that different from that.

                  Boot from USB is a good suggestion. But still, another device.

                  GrimsonG 1 Reply Last reply Reply Quote 0
                  • GrimsonG
                    Grimson Banned @tlt3cms
                    last edited by

                    @tlt3cms said in No jail support in 2.4:

                    I disagree. You even see alot of suggestions on running pfsense on a hypervisor. This is not that different from that.

                    There is a major difference between running pfSense as an isolated VM client and it being the host for something. If you don't understand that you seriously need to brush up your knowledge.

                    1 Reply Last reply Reply Quote 0
                    • T
                      tlt3cms
                      last edited by

                      I was thinking about security in an isolation sense.

                      As in, what would i trust more. The isolation between a hypervisor and it's VM's, and the FreeBSD kernel and it's jails. In this regard I would trust jail security enough to run a service.

                      1 Reply Last reply Reply Quote 0
                      • chrismacmahonC
                        chrismacmahon
                        last edited by

                        You can look at Bhyve, however as pointed out you want your Firewall to have a minimal threat surface area.

                        I would like to SSH into the router from the internet, which is a bad idea, so of course with some 2FA

                        Sure, you can use a VPN for this; OpenVPN is 2 factor out of the box. You have your client certificate, with your username and password.

                        Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                        Do Not PM For Help!

                        T 1 Reply Last reply Reply Quote 0
                        • T
                          tlt3cms @chrismacmahon
                          last edited by

                          @chrismacmahon said in No jail support in 2.4:

                          Sure, you can use a VPN for this; OpenVPN is 2 factor out of the box. You have your client certificate, with your username and password.

                          I would rather trust the security of OpenSSH than OpenVPN.

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            With a hypervisor, if someone breaks a VM, then just the VM is broken. Others are properly isolated.

                            With a jail on the firewall, if someone breaks out of the jail, then your entire firewall and everything on it and behind it are compromised.

                            Do not use your firewall to host jails/VMs. Using the firewall under a separate hypervisor is fine, but the firewall itself should not be the VM/jail host.

                            If you must run a service on the firewall, against all recommendations, then look into bhyve.

                            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            T 1 Reply Last reply Reply Quote 0
                            • T
                              tlt3cms @jimp
                              last edited by

                              @jimp said in No jail support in 2.4:

                              With a jail on the firewall, if someone breaks out of the jail, then your entire firewall and everything on it and behind it are compromised.

                              The same can be said about the hypervisor and vm

                              jimpJ 1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate @tlt3cms
                                last edited by

                                @tlt3cms said in No jail support in 2.4:

                                The same can be said about the hypervisor and vm

                                True, but hypervisor break-outs are rare, jail break-outs are not.

                                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • T
                                  tlt3cms
                                  last edited by

                                  Really? By my understanding jail security is pretty good and escapes are pretty rare.

                                  jimpJ 1 Reply Last reply Reply Quote 0
                                  • jimpJ
                                    jimp Rebel Alliance Developer Netgate @tlt3cms
                                    last edited by

                                    @tlt3cms said in No jail support in 2.4:

                                    Really? By my understanding jail security is pretty good and escapes are pretty rare.

                                    There are several historical examples around from years past. Better these days, but the docs still carry a significant warning: https://www.freebsd.org/doc/handbook/jails.html (bottom of the page, giant red warning box)

                                    I am not willing to take that chance with the firewall being the host.

                                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 0
                                    • T
                                      tlt3cms
                                      last edited by tlt3cms

                                      The warning pertains mostly to to access from the host to the jail. Not really relevant here.

                                      jimpJ 1 Reply Last reply Reply Quote 0
                                      • jimpJ
                                        jimp Rebel Alliance Developer Netgate @tlt3cms
                                        last edited by

                                        @tlt3cms said in No jail support in 2.4:

                                        The warning pertains mostly to to access from the host to the jail. Not really relevant here.

                                        Then you didn't understand the warning.

                                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                        Need help fast? Netgate Global Support!

                                        Do not Chat/PM for help!

                                        1 Reply Last reply Reply Quote 0
                                        • KOMK
                                          KOM
                                          last edited by

                                          Dude, just give it up already. You have been given the answer. You're not getting jails on pfSense.

                                          T 1 Reply Last reply Reply Quote 0
                                          • T
                                            tlt3cms @KOM
                                            last edited by

                                            @jimp said in No jail support in 2.4:

                                            @tlt3cms said in No jail support in 2.4:

                                            The warning pertains mostly to to access from the host to the jail. Not really relevant here.

                                            Then you didn't understand the warning.

                                            I'm not following you here? It says:

                                            "Jails are a powerful tool, but they are not a security panacea." Very few things would be a security panacea, so this warning is a general one.

                                            The rest of the warning pertains to host-to-jail security.

                                            @kom said in No jail support in 2.4:

                                            Dude, just give it up already. You have been given the answer. You're not getting jails on pfSense.

                                            Whats up with the hostility? I'm not asking for jail support here, the conversation went on to why it's not supported, while running pfsense on a hypervisor is and even suggested. If you aren't interested in that subject then feel free to ignore this thread.

                                            jimpJ 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.