No jail support in 2.4



  • Hi

    Is there any reason why jail support haven't been compiled in the standard version of pfSense 2.4?

    I'm running pfSense on a Netgate SG-3100, so it's armv6, I haven't looked at the x86 builds.



  • Can you develop ?
    What jail support ?

    2.4 is very old. It's 2.4.4-p2 these days.



  • Hi

    I'm running the newest, 2.4.4-RELEASE-p2 and by jail support I mean, to support jails you need to enable it when you build FreeBSD. For instance, the jail and jls commands aren't there and the kernel probably isn't compiled with support either.





  • Thanks for the details.

    You are probably right : See what Google can tell you : pfsense jail support jls

    Btw : pfSense is a firewall. Jail support adds a massive load (size for one matter) on the kernel.

    edit : @Grimson also uses Google ... ☺



  • @Grimson Thanks for the link, confirms that it's probably never coming.

    @Gertjan Massive load, here I assume you mean disk and memory. My SG-3100 has 5.6G free disk space and 1259M free memory.
    A simple jail without any packages installed would take ~275mb of disk, and in my case, would only run 3 services, syslogd, sshd and cron.

    I'm not saying you should run alot of services on your firewall, but simple ones would be quite ideal. In my case, I would like to SSH into the router from the internet, which is a bad idea, so of course with some 2FA. Here a jail would be perfect because it can be seperated from the base OS, so your 2FA pam additions wouldn't go in an upgrade. Further, you could also control its network access.

    Without jail support I have to setup another machine for this purpose. It will probably be a RPI, but stability on those microsd cards is bad, and, well, it's just another device to maintain. Running it in a jail on the netgate device would have been a much more elegant solution



  • @tlt3cms said in No jail support in 2.4:

    I'm not saying you should run alot of services on your firewall, but simple ones would be quite ideal.

    No, even simple ones are a really stupid idea. Keep your firewall a firewall.

    It will probably be a RPI, but stability on those microsd cards is bad, and, well, it's just another device to maintain.

    Then boot from USB: https://www.raspberrypi.org/documentation/hardware/raspberrypi/bootmodes/msd.md



  • I disagree. You even see alot of suggestions on running pfsense on a hypervisor. This is not that different from that.

    Boot from USB is a good suggestion. But still, another device.



  • @tlt3cms said in No jail support in 2.4:

    I disagree. You even see alot of suggestions on running pfsense on a hypervisor. This is not that different from that.

    There is a major difference between running pfSense as an isolated VM client and it being the host for something. If you don't understand that you seriously need to brush up your knowledge.



  • I was thinking about security in an isolation sense.

    As in, what would i trust more. The isolation between a hypervisor and it's VM's, and the FreeBSD kernel and it's jails. In this regard I would trust jail security enough to run a service.


  • Rebel Alliance Netgate Administrator

    You can look at Bhyve, however as pointed out you want your Firewall to have a minimal threat surface area.

    I would like to SSH into the router from the internet, which is a bad idea, so of course with some 2FA

    Sure, you can use a VPN for this; OpenVPN is 2 factor out of the box. You have your client certificate, with your username and password.



  • @chrismacmahon said in No jail support in 2.4:

    Sure, you can use a VPN for this; OpenVPN is 2 factor out of the box. You have your client certificate, with your username and password.

    I would rather trust the security of OpenSSH than OpenVPN.


  • Rebel Alliance Developer Netgate

    With a hypervisor, if someone breaks a VM, then just the VM is broken. Others are properly isolated.

    With a jail on the firewall, if someone breaks out of the jail, then your entire firewall and everything on it and behind it are compromised.

    Do not use your firewall to host jails/VMs. Using the firewall under a separate hypervisor is fine, but the firewall itself should not be the VM/jail host.

    If you must run a service on the firewall, against all recommendations, then look into bhyve.



  • @jimp said in No jail support in 2.4:

    With a jail on the firewall, if someone breaks out of the jail, then your entire firewall and everything on it and behind it are compromised.

    The same can be said about the hypervisor and vm


  • Rebel Alliance Developer Netgate

    @tlt3cms said in No jail support in 2.4:

    The same can be said about the hypervisor and vm

    True, but hypervisor break-outs are rare, jail break-outs are not.



  • Really? By my understanding jail security is pretty good and escapes are pretty rare.


  • Rebel Alliance Developer Netgate

    @tlt3cms said in No jail support in 2.4:

    Really? By my understanding jail security is pretty good and escapes are pretty rare.

    There are several historical examples around from years past. Better these days, but the docs still carry a significant warning: https://www.freebsd.org/doc/handbook/jails.html (bottom of the page, giant red warning box)

    I am not willing to take that chance with the firewall being the host.



  • The warning pertains mostly to to access from the host to the jail. Not really relevant here.


  • Rebel Alliance Developer Netgate

    @tlt3cms said in No jail support in 2.4:

    The warning pertains mostly to to access from the host to the jail. Not really relevant here.

    Then you didn't understand the warning.



  • Dude, just give it up already. You have been given the answer. You're not getting jails on pfSense.



  • @jimp said in No jail support in 2.4:

    @tlt3cms said in No jail support in 2.4:

    The warning pertains mostly to to access from the host to the jail. Not really relevant here.

    Then you didn't understand the warning.

    I'm not following you here? It says:

    "Jails are a powerful tool, but they are not a security panacea." Very few things would be a security panacea, so this warning is a general one.

    The rest of the warning pertains to host-to-jail security.

    @kom said in No jail support in 2.4:

    Dude, just give it up already. You have been given the answer. You're not getting jails on pfSense.

    Whats up with the hostility? I'm not asking for jail support here, the conversation went on to why it's not supported, while running pfsense on a hypervisor is and even suggested. If you aren't interested in that subject then feel free to ignore this thread.


  • Rebel Alliance Developer Netgate

    @tlt3cms said in No jail support in 2.4:

    The rest of the warning pertains to host-to-jail security.

    No, it is not. It's warning about one potential and known method of breaking out of jails by coordination between an unprivileged host user and a user in the jail. Basically, there is already at least some notion of weakness already known. And that's just one possibility.

    @tlt3cms said in No jail support in 2.4:

    the conversation went on to why it's not supported, while running pfsense on a hypervisor is and even suggested

    Jails do not offer anywhere close to the same level of isolation as a type 1 hypervisor. In some cases jails can be "good enough" but in those cases you'd have FreeBSD itself as a base OS, not a firewall. pfSense can't run in a jail or we'd probably also be OK with using a FreeBSD host with pfSense in a jail plus other services in other jails since they'd all have the same level of isolation from one another.

    It still boils down to: Let the firewall be a firewall. Stop trying to make it into something else. With virtualization, the firewall it still only being a firewall, not a host to other unrelated services.



  • @jimp said in No jail support in 2.4:

    No, it is not. It's warning about one potential and known method of breaking out of jails by coordination between an unprivileged host user and a user in the jail. Basically, there is already at least some notion of weakness already known. And that's just one possibility.

    My guess is that they are referring to SHM, which is disabled by default, or networking, which could be fixed with VIMAGE.
    Do you know of other ones?

    @jimp said in No jail support in 2.4:

    It still boils down to: Let the firewall be a firewall. Stop trying to make it into something else. With virtualization, the firewall it still only being a firewall, not a host to other unrelated services.

    In my case the router is not an important one. It's a simple office router that I want to be able to SSH into and if openssh was hacked, and after that the jail was escaped, it still wouldn't be a big issue. Yeah the router owned then, but it could be reset and the network it protects isn't critical.


  • Rebel Alliance Developer Netgate

    @tlt3cms said in No jail support in 2.4:

    My guess is that they are referring to SHM, which is disabled by default, or networking, which could be fixed with VIMAGE.
    Do you know of other ones?

    I don't know the specifics, but if you google around there are several examples of how it's been done in the past. With filesystem shenanigans or other fun methods. Some are admin/setup deficiencies, but others can be done with user coordination. The details are out there.

    @tlt3cms said in No jail support in 2.4:

    In my case the router is not an important one. It's a simple office router that I want to be able to SSH into and if openssh was hacked, and after that the jail was escaped, it still wouldn't be a big issue. Yeah the router owned then, but it could be reset and the network it protects isn't critical.

    While that may be true for you specifically, it would be a horrible attitude for a firewall distribution to have.



  • @jimp said in No jail support in 2.4:

    While that may be true for you specifically, it would be a horrible attitude for a firewall distribution to have.

    I do see your point



  • I dug around some old mailing lists. The warning pertains to cases where a person has a normal account on the host, and root access in a jail. He can then suid a binary, eg. vi, and use that suid executable on the host.
    If you where to have this edge case, the problem is easy to fix, just chmod 0700 your jail dir on the host.
    SHM was also mentionen but as I stated, it's disabled by default.