The problem
As I start to move VPNs (eg. Tinc, WireGuard) into jails, I try to contain all necessary configuration within the jail. I've been stumped getting firewalls like PF and IPFW working in jails. To work about this I would configure the firewall on the host instead.
Opportunity
If I read right, that has been tricky until FreeBSD v12 where VIMAGE comes bundled in the default kernel build. Exact documentation on how to enable firewalls in a jail has been vague. Fortunately I was able to find help in the freenode irc #freebsd channel from a friendly chap who goes by the alias arthur.
Solution: devfs rules
Quoting @ale on freebsd.org: ...on Unix systems a device (hd, soundcard, etc.) is seen as a special file and you can find them in /dev. This is for example to have a uniform way to do I/O operations. devfs manages that filesystem for you, dynamically creating the files and assigning permissions.
Assumptions
- Details only known to work with iocage for jail management, and PF for firewall.
Steps
- Add a new devfs rule in /etc/defaults/devfs.rules:
[devfsrules_jail_vnet=5]
add include $devfsrules_jail
add path pf unhide
- Restart devfs service. This registers the new rule.
service devfs restart
- Set jail to use the new rule.
iocage set devfs_ruleset=5 [jail name]
- Start/ restart jail.
iocage start [jail name]
# or
iocage restart [jail name]
- Configure PF as necessary in jail (details not covered here).