# Migrated JAILs from TrueNAS 11.3 to JAILS over FreeBSD 13 with VNET and now IPFW inside JAIL not work: kldload ipfw - not permitted



## lexxai (Jul 22, 2022)

In jail under TrueNAS 11, was mail server that can block IPs by IPFW rules. Now I move JAIL to FreeBSD 13.1, and detect that same JAIL with same settings, not allow to load IPFW inside jail.

```
kldload ipfw
kldload: can't load ipfw: Operation not permitted
```
For JAILs managemnt use iocage

```
"allow_raw_sockets": 1,
"vnet": 1,
"dhcp": 1,
"bpf": 1
```
How now block bad users by analyze with Fail2BAN mail log. 
Do it outside of JAIL ? 
Or can allow run IPFW inside of jail ?


----------



## lexxai (Jul 25, 2022)

lexxai said:


> In jail under TrueNAS 11, was mail server that can block IPs by IPFW rules. Now I move JAIL to FreeBSD 13.1, and detect that same JAIL with same settings, not allow to load IPFW inside jail.
> 
> ```
> kldload ipfw
> ...


/etc/devfs.rules

[vnet_pf=11]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add include $devfsrules_jail
add path 'bpf*' unhide
add path pf unhide
add path pflog unhide
add path pfsynv unhide

service devfs restart

iocage set devfs_ruleset=11 mail


----------



## zirias@ (Jul 26, 2022)

A jail doesn't have its own kernel (which is kind of the point of it, otherwise it would be a virtual machine).

So, loading a kernel module would load it into the host's kernel. It kind of makes sense this is not allowed from inside the jail, it would be a huge security hole, code running in the kernel can to everything on the machine.

With a VNET jail, the jail has its own network stack, so it probably would work fine to _use_ ipfw inside the jail.


----------

