No jail support in 2.4

chrismacmahon

You can look at Bhyve, however as pointed out you want your Firewall to have a minimal threat surface area.

I would like to SSH into the router from the internet, which is a bad idea, so of course with some 2FA

Sure, you can use a VPN for this; OpenVPN is 2 factor out of the box. You have your client certificate, with your username and password.

tlt3cms

@chrismacmahon said in No jail support in 2.4:

Sure, you can use a VPN for this; OpenVPN is 2 factor out of the box. You have your client certificate, with your username and password.

I would rather trust the security of OpenSSH than OpenVPN.

jimp

With a hypervisor, if someone breaks a VM, then just the VM is broken. Others are properly isolated.

With a jail on the firewall, if someone breaks out of the jail, then your entire firewall and everything on it and behind it are compromised.

Do not use your firewall to host jails/VMs. Using the firewall under a separate hypervisor is fine, but the firewall itself should not be the VM/jail host.

If you must run a service on the firewall, against all recommendations, then look into bhyve.

tlt3cms

@jimp said in No jail support in 2.4:

With a jail on the firewall, if someone breaks out of the jail, then your entire firewall and everything on it and behind it are compromised.

The same can be said about the hypervisor and vm

jimp

@tlt3cms said in No jail support in 2.4:

The same can be said about the hypervisor and vm

True, but hypervisor break-outs are rare, jail break-outs are not.

tlt3cms

Really? By my understanding jail security is pretty good and escapes are pretty rare.

jimp

@tlt3cms said in No jail support in 2.4:

Really? By my understanding jail security is pretty good and escapes are pretty rare.

There are several historical examples around from years past. Better these days, but the docs still carry a significant warning: https://www.freebsd.org/doc/handbook/jails.html (bottom of the page, giant red warning box)

I am not willing to take that chance with the firewall being the host.

tlt3cms

The warning pertains mostly to to access from the host to the jail. Not really relevant here.

jimp

@tlt3cms said in No jail support in 2.4:

The warning pertains mostly to to access from the host to the jail. Not really relevant here.

Then you didn't understand the warning.

KOM

Dude, just give it up already. You have been given the answer. You're not getting jails on pfSense.

tlt3cms

@jimp said in No jail support in 2.4:

@tlt3cms said in No jail support in 2.4:

The warning pertains mostly to to access from the host to the jail. Not really relevant here.

Then you didn't understand the warning.

I'm not following you here? It says:

"Jails are a powerful tool, but they are not a security panacea." Very few things would be a security panacea, so this warning is a general one.

The rest of the warning pertains to host-to-jail security.

@kom said in No jail support in 2.4:

Dude, just give it up already. You have been given the answer. You're not getting jails on pfSense.

Whats up with the hostility? I'm not asking for jail support here, the conversation went on to why it's not supported, while running pfsense on a hypervisor is and even suggested. If you aren't interested in that subject then feel free to ignore this thread.

jimp

@tlt3cms said in No jail support in 2.4:

The rest of the warning pertains to host-to-jail security.

No, it is not. It's warning about one potential and known method of breaking out of jails by coordination between an unprivileged host user and a user in the jail. Basically, there is already at least some notion of weakness already known. And that's just one possibility.

@tlt3cms said in No jail support in 2.4:

the conversation went on to why it's not supported, while running pfsense on a hypervisor is and even suggested

Jails do not offer anywhere close to the same level of isolation as a type 1 hypervisor. In some cases jails can be "good enough" but in those cases you'd have FreeBSD itself as a base OS, not a firewall. pfSense can't run in a jail or we'd probably also be OK with using a FreeBSD host with pfSense in a jail plus other services in other jails since they'd all have the same level of isolation from one another.

It still boils down to: Let the firewall be a firewall. Stop trying to make it into something else. With virtualization, the firewall it still only being a firewall, not a host to other unrelated services.

tlt3cms

@jimp said in No jail support in 2.4:

No, it is not. It's warning about one potential and known method of breaking out of jails by coordination between an unprivileged host user and a user in the jail. Basically, there is already at least some notion of weakness already known. And that's just one possibility.

My guess is that they are referring to SHM, which is disabled by default, or networking, which could be fixed with VIMAGE.
Do you know of other ones?

@jimp said in No jail support in 2.4:

It still boils down to: Let the firewall be a firewall. Stop trying to make it into something else. With virtualization, the firewall it still only being a firewall, not a host to other unrelated services.

In my case the router is not an important one. It's a simple office router that I want to be able to SSH into and if openssh was hacked, and after that the jail was escaped, it still wouldn't be a big issue. Yeah the router owned then, but it could be reset and the network it protects isn't critical.

jimp

@tlt3cms said in No jail support in 2.4:

My guess is that they are referring to SHM, which is disabled by default, or networking, which could be fixed with VIMAGE.
Do you know of other ones?

I don't know the specifics, but if you google around there are several examples of how it's been done in the past. With filesystem shenanigans or other fun methods. Some are admin/setup deficiencies, but others can be done with user coordination. The details are out there.

@tlt3cms said in No jail support in 2.4:

In my case the router is not an important one. It's a simple office router that I want to be able to SSH into and if openssh was hacked, and after that the jail was escaped, it still wouldn't be a big issue. Yeah the router owned then, but it could be reset and the network it protects isn't critical.

While that may be true for you specifically, it would be a horrible attitude for a firewall distribution to have.

tlt3cms

@jimp said in No jail support in 2.4:

While that may be true for you specifically, it would be a horrible attitude for a firewall distribution to have.

I do see your point

tlt3cms

I dug around some old mailing lists. The warning pertains to cases where a person has a normal account on the host, and root access in a jail. He can then suid a binary, eg. vi, and use that suid executable on the host.
If you where to have this edge case, the problem is easy to fix, just chmod 0700 your jail dir on the host.
SHM was also mentionen but as I stated, it's disabled by default.