FreeBSD Jail Allow Ping / tracerouter Commands

I‘m not able to ping from FreeBSD prison (jail). I’m able to resolve the names or use ftp / http for ports but ping and traceroute access is disabled. How do I allow virtualized jail application / users to perform traceroute and ping commands?

By default FreeBSD does not allows prison users / apps to create raw sockets. This is a security feature. With raw sockets one can use perl / python or tools such as nc to create raw socket and launch attacks. However, this aspects of the jail environment may be modified from the host environment using sysctl command.

security.jail.allow_raw_sockets MIB entry determines whether or not prison root is allowed to create raw sockets. Setting this MIB to 1 allows utilities like ping and traceroute to operate inside the prison. Type the following command:
# sysctl security.jail.allow_raw_sockets=1
Now login to jail using jexec:
host # jexec 1 csh
jail# ping cyberciti.biz

Add following line to sysctl.conf:
# echo 'security.jail.allow_raw_sockets=1' >> /etc/sysctl.conf

A note about MIB

This is optional configuration. Above MIB variable affect all jails on the system. In other words, all jails will be able to use ping and traceroute command. You can deny or allow access to certain jails using host firewall such as PF. Here is a sample PF firewall:

# interface 
int_if="em0"
ext_if="em1"

# ICMP types
icmp_types = "{ echoreq, unreach }"

# Allowed ips for traceroute 
troute_outbound_ips  = "{ 10.24.55.101,  10.24.55.103, 10.24.55.111  }"

# Allowed ips for ping
ping_outbound_ips  = "{ 10.24.55.103, 10.24.55.111 }"

# Some defaults 
set block-policy return
set loginterface $ext_if
scrub in all

# Drop ALL - drop incoming and  everything else 
block log all

# skip loopback and vpn interface 
set skip on {lo0, $int_if}
block in quick from urpf-failed
antispoof log for $ext_if

## your other rules STARTS ###
## add your other pf rules to open port and other stuff
# ...

# ...
## your other rules ENDS ###

### Allow ping and trace route from selected jails ###
pass out on $ext_if inet proto udp from $troute_outbound_ips to any port 33433 >
This entry is 2 of 6 in the FreeBSD Jail Operating System-level Virtualization Tutorial series. Keep reading the rest of the series:
  1. Setup FreeBSD Jail With ezjail
  2. FreeBSD Jail Allow Ping / tracerouter Commands
  3. FreeBSD Jail Add Multiple IPv4 / IPv6 Address
  4. FreeBSD Jail Access Private Network Via NAT and PF
  5. How To Upgrade FreeBSD Jail ( OS Level Virtualization )
  6. FreeBSD Jail Allow Sound And Flash Access
🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
1 comment… add one
  • Xiatian Jul 16, 2017 @ 15:14

    You also can allow raw sockets on a per-jail basis by using the allow.raw_sockets parameter; see jail(8) and jail.conf(5).

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.