FreeBSD Jail Deployment Notes


FreeBSD Handbook: Chapter 15. Jails

FreeBSD jails with a single public IP address

Install ezjail:

pkg install ezjail

Jail Template Installation:

We’re gonna setup a base template for our jail to use.

ezjail-admin install

Enable ezjail on boot:

sysrc ezjail_enable="YES"

Let’s start the ezjail service:

service ezjail start

Create an interface for jails to use:

sysrc cloned_interfaces="lo1"
sysrc ipv4_addrs_lo1=""

Bring the interface up:

service netif cloneup

Create a New Jail:

I’m going to be creating a Jail just for security functions, so I’ll be referring to it as security.

ezjail-admin create security

Configure pf to allow traffic for the jail:

Add the following to /etc/pf.conf:


To allow outbound network connections from the jails:

nat on $ext_if from $jail_if:network to any -> ($ext_if)

If you need to port forward an external port to a service running in the jail add the following to /etc/pf.conf:

rdr on $ext_if proto tcp from any to $ext_if port $tcp_port -> $jail_security_ipv4

Apply your changes to pf:

service pf restart

Setup /etc/resolv.conf:

cp /etc/resolv.conf /usr/jails/security/etc/resolv.conf

Start the jail:

ezjail-admin start security

Access the Jail:

Run the following command to get a shell in the jail:

ezjail-admin console security
Written on February 26, 2021