Migrated JAILs from TrueNAS 11.3 to JAILS over FreeBSD 13 with VNET and now IPFW inside JAIL not work: kldload ipfw - not permitted

[lexxai]

In jail under TrueNAS 11, was mail server that can block IPs by IPFW rules. Now I move JAIL to FreeBSD 13.1, and detect that same JAIL with same settings, not allow to load IPFW inside jail.

kldload ipfw
kldload: can't load ipfw: Operation not permitted

For JAILs managemnt use iocage

"allow_raw_sockets": 1,
"vnet": 1,
"dhcp": 1,
"bpf": 1

How now block bad users by analyze with Fail2BAN mail log.
Do it outside of JAIL ?
Or can allow run IPFW inside of jail ?

 

[lexxai]

In jail under TrueNAS 11, was mail server that can block IPs by IPFW rules. Now I move JAIL to FreeBSD 13.1, and detect that same JAIL with same settings, not allow to load IPFW inside jail.

kldload ipfw
kldload: can't load ipfw: Operation not permitted

For JAILs managemnt use iocage

"allow_raw_sockets": 1,
"vnet": 1,
"dhcp": 1,
"bpf": 1

How now block bad users by analyze with Fail2BAN mail log.
Do it outside of JAIL ?
Or can allow run IPFW inside of jail ?

/etc/devfs.rules

[vnet_pf=11]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add include $devfsrules_jail
add path 'bpf*' unhide
add path pf unhide
add path pflog unhide
add path pfsynv unhide

service devfs restart

iocage set devfs_ruleset=11 mail

 

[zirias@]

A jail doesn't have its own kernel (which is kind of the point of it, otherwise it would be a virtual machine).

So, loading a kernel module would load it into the host's kernel. It kind of makes sense this is not allowed from inside the jail, it would be a huge security hole, code running in the kernel can to everything on the machine.

With a VNET jail, the jail has its own network stack, so it probably would work fine to use ipfw inside the jail.