Added 𝗨𝗣𝗗𝗔𝗧𝗘 𝟭 - 𝗧𝗵𝗼𝘂𝗴𝗵𝘁𝘀 𝗔𝗳𝘁𝗲𝗿 𝗖𝗼𝗺𝗺𝗲𝗻𝘁𝘀 to the 𝗙𝗿𝗲𝗲𝗕𝗦𝗗 𝗝𝗮𝗶𝗹𝘀 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 article.
https://vermaden.wordpress.com/2025/04/11/freebsd-jails-security/
New 𝗙𝗿𝗲𝗲𝗕𝗦𝗗 𝗝𝗮𝗶𝗹𝘀 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 (𝘃𝗲𝗿𝘀𝘂𝘀 𝗣𝗼𝗱𝗺𝗮𝗻) [FreeBSD Jails Security (versus Podman)] article on the blog.
https://vermaden.wordpress.com/2025/04/11/freebsd-jails-security/
My main webserver is running FreeBSD and I've been running my services (nginx, postgresql, exim, etc) in individual jails. Each one with a ZFS dataset for it's data.
So far, I've been using traditional jails, but now, I did successfully implement VNET jails, to give each Jail it's own ip address and make them communicate via a private network, that I've been securing with pf firewall. Very smooth experience 
Christmas project for this year: Updating my server and jails to FreeBSD 14.2
So it seems that if you enable ipfw(8) when running #VNET jails on a #FreeBSD server, the following ruleset will appear in all of the jails:
65535 deny ip from any to any
This means I have to set up ipfw(8) in my VNET jails as well, because all communication (except DHCP?) is blocked.
I have tried to find information online about this behavior of ipfw(8) and VNET jails, but have found nothing. Can someone shed some light on this? 
I need some advise here. Getting a little dizzy of all the options in jailing systems around networks and access.
I use now appjail until I get the hang of it, not quite ready 
I can use a bridge with epairs / vnet / netgraph / a combination of some of them…
Dhcp on these option partially work, but not with all combinations.
Bridges/epairs are working on a different server with bastillebsd….
But now to the basic question (I know, it’s my lack of basic network skills here speaking):
It is easy the autocreate jails on a subnet interface with a new range (say 10.0.0.0) apart from the normal lan (192.168.0.0). I can ping the jail on the host but not from the lan (obvious).
What is the best option to make it works? And how? A practical example or link would help.
That was quick , just followed this tutorial. I am able to run a linux container
https://community.veeam.com/kubernetes-korner-90/just-when-i-thought-i-would-relax-someone-messages-me-that-podman-runs-on-freebsd-7432
It runs with #VNET bridge setup out of the box fantastic !
There was time when #FreeBSD #Handbook did not included any information about #VNET #Jails ... that changed recently and now the #FreeBSD #Jails chapter in the #Handbook is more then useful.
Details about the changes in the link:
- https://cgit.freebsd.org/doc/commit/?id=612b7cc1721224c494c5b2600188e1508bb5611b
@stefano I setup my jails (without template) using #VNet network method as I have IPv6 SLAAC at home and I wanted to use it. Because of this setup, I configured pf rules inside each jail (#unbound, #adguardhome and #wireguard). Now it works like a charm.
I also tested bastille update release to install patch level updates: this is so easy and simple. @fluxwatcher @BastilleBSD
#FreeBSD30 timeline - a few things that happened during these 30 #FreeBSD years:
#UNIX #BSD #MULTICS #1BSD #2BSD #42BSD #43BSD #386BSD #ipfw #FreeBSDCon #BSDCON #ports #jails #FreeBSDFoundation #kqueue #EuroBSDCon #CoreTeam #AsiaBSDCon #BSDCAN #pf #OpenBSD #ZFS #DTrace #VNET #Capsicum #Cheri #Poudriere #clang #llvm #subversion #OpenZFS #git
