Jail on pfsense 2.0

  • Does anybody use or plan to use jail on pfsense?

    It't very usefull to run/compile freebsd packages without reducing pfsense security.

    I've tried jailctl package but it seem to be broken on 2.0 (i386 and amd64).

    Ezjail works fine to me in 2.0, I could replace jailctrl package to ezjail, but first i need to know if it is used by anybody.

  • Rebel Alliance Developer Netgate

    I prefer to keep things in separate VMs on the firewall if things must be combined, but jails are good. (There are ways to break out of jails though, search even this forum for some lengthy debates on security)

    When I use jails myself on other FreeBSD hosts I prefer to use ezjail.

  • I have just upgraded two 1.2.3 boxes to 2.0, with jails. and those are working correctly.

    But you are correct. the Jail package has not been updated for 2.0 yet. It's still trying to fetch
    7.0-Release, which has been moved to ftp-archive on the FreeBSD servers… So it's unfetchable.

    I have some patches to use a newer sysinstall, use FreeBSD 8.1-Release, however I am still stuck
    with a new documentation prompt in sysinstall, which causes the automatic load to fail.  Unfortunately
    the sysinstall people don't like documentation much (which I believe they themselves made claim to)
    and I haven't had a chance to try and dig through the source code to see how to disable this prompt.

    Put that all aside, I have a few friends happily running on 2.0-Beta + which I helped them hack up the
    jail package on, and other then needing to manually run the script/accept the documentation prompt,
    it's working well for them. One noticed that using the nullfs/unionfs image on a high load system caused
    hard locks though.

    Hopefully now that I have a few pfsense boxes that I manage running 2.0-Release, I'll be more likely to
    figure out the remaining issues and submit patches.

  • thanks for you reply.

    ezjail is working much better then pfjctrl.

    If you are doing patches, means that you know what you are doing.

    backup your vm's, uninstall pfjctrl and install ezjail.

    ezjail-admin will help you creating new virtual machines with freebsd 8.1.

    follow ezjail build steps on a freebsd 8.1-p4 and you will have same version on pfsense and jails.

    As pfsense2 has been release there is no problem on migrating pfjctrl to ezail.

    I'll try to start it soon.

Log in to reply