# Jails and Firewalls?



## klabacita (Aug 3, 2009)

Hi people.

  I what to try Jails, I have some doubt about the firewall site,
  suppose u have your machine running the firewall, u setup a Jail to run bind.

  Wants u build your jail and setup bind or your mailserver, do u have to setup the firewall inside each jail or u just would use the main firewall to protect all your Jails?

  Or is not necessary to be to to paranoid?
  Or is not a issue not to have a firewall inside each Jail?

  Thanks your time


----------



## SirDice (Aug 3, 2009)

Jails cannot have a firewall (yet at least). So you would need to run the firewall on the host.


----------



## ctaranotte (Aug 3, 2009)

What would be the use of a jailed firewall?

In other words, what benefits do you anticipate over the firewall on the host?


----------



## anomie (Aug 3, 2009)

@ctaranotte: I'd imagine if you have different administrators working on jailed systems (but not the host), then per-jail firewalls would be a great boon.


----------



## klabacita (Aug 4, 2009)

The reason to ask is because, reading about jails, I didn't read anything about this small thing.

  This is why I ask u guys to get a little more understanding about how this thing works.

  Now u already answer my question, I appreciated a lot, thanks again to all.


----------



## SirDice (Aug 4, 2009)

It's still pretty much a work in progress but if you're interested in running a jail with it's own firewall have a look at the network stack virtualization project.

http://imunes.tel.fer.hr/virtnet/


----------



## ctaranotte (Aug 7, 2009)

anomie said:
			
		

> @ctaranotte: I'd imagine if you have different administrators working on jailed systems (but not the host), then per-jail firewalls would be a great boon.



That's fine as long as there is a specific virtual interface (other than lo) for the jails.


----------



## ctaranotte (Aug 7, 2009)

SirDice said:
			
		

> It's still pretty much a work in progress but if you're interested in running a jail with it's own firewall have a look at the network stack virtualization project.
> 
> http://imunes.tel.fer.hr/virtnet/



Thanks for the link.


----------



## brd@ (Aug 9, 2009)

FreeBSD 8.0 will have the virtualized network stack and you should be able to have jails that even have different default gateways and firewalls!


----------



## reddy (Mar 19, 2019)

brd@ said:


> FreeBSD 8.0 will have the virtualized network stack and you should be able to have jails that even have different default gateways and firewalls!



As of today, is it possible to run a firewall within a jail?


----------



## abishai (Mar 19, 2019)

Yes. 11.2 needs some minor kernel patching though, but 12.0 is OK.


----------



## reddy (Mar 19, 2019)

No luck, I am running 11.2 but good to know thanks!


----------



## abishai (Mar 19, 2019)

Well, I can try to find a patch. I believe I have it somewhere. I took it from 12.0.
And you need to recompile kernel with VIMAGE option. It will work without patch, but not very long.


----------

