After some days of troubleshooting FreeBSD networking and pf firewalling (and learning a lot in the process!), I finally made an article about FreeBSD VNet jails behind a dedicated firewall jail, that works with both IPv4 AND IPv6:

Internet <-> firewall-jail <-> application jail

I hope, someone might find that helpful. The detailed article is here in my Codeberg gists:

https://codeberg.org/Larvitz/gists/src/branch/main/2025/20250517-FreeBSDFirewallVnetJail.md

My next step is trying to get IPv6 address support into the marvelous tool jmore from @vermaden and sending him a pull-request for that :)

After a while of fiddling, I got dual-stack for FreeBSD (IPv4 and IPv6) VNet Jails working properly and reliably

The important lessons, I've learned:

/etc/sysctl.conf:
+net.link.bridge.inherit_mac=1

/boot/loader.conf:
+if_epair_load="YES"

/etc/rc.conf:
+create_args_bridge0="inet6 auto_linklocal -ifdisabled addm vtnet0"
+ifconfig_vtnet0="up -tso -vlanhwtso"
+rtsold_enable="YES"
+rtsold_flags="-i -m bridge0"

Then, configuring ifconfig_bridge0_ipv6 as well as ipv6_defaultrouter for the host to have IPv6 connectivity as well as the network-configuration in the jail via $jail/etc/rc.conf (The jail of course needs it's own IP on the same subnet as the host)

Screenshots of the fully working configuration with a connectivity test are attached :-)

Linux containers (OCI Containers) are ephemeral by design, except the volumes, you mount into them. In large scale environments, that can be useful (cattle vs pets argument). But that also introduces new challenges and makes it more complex to manage them.

For my personal environments, I like the approach of FreeBSD jails more. They are just a directory (or ZFS Dataset) with their own, persistent copy of the OS, easy to manage and the networking capabilities are flexible (bridged, vnet, they can be routed, firewalled, etc).

Jails are well aged, are around since FreeBSD 4 back in 2000, the non-ephemeral approach (and the absence of overlay file systems etc) makes them more feel like individual virtual servers than modern Linux containers but with extreme levels of flexibility.

Tools like jmore(8) (by @vermaden) and Bastille (Jails “Templates”) makes them even easier to manage.

A federal judge overseeing #NYC’s #jails took #RikersIsland out of the city’s control on Tues, ordering that an outside official be appointed to make major decisions regarding the troubled & violent #jail complex.

The judge, Laura Taylor Swain, said in a 77-page ruling that the official would report directly to her & would not be a city employee, turning aside Mayor #EricAdams’ efforts to maintain control of the lockups.

#law #PrisonReform
https://www.nytimes.com/2025/05/13/nyregion/rikers-island-receiver-nyc.html?smid=nytcore-ios-share&referringSource=articleShare&sgrp=p&pvid=DCD52F94-91CF-4B52-8FA4-9B150ACB6903

Added 𝗨𝗣𝗗𝗔𝗧𝗘 𝟭 - 𝗧𝗵𝗼𝘂𝗴𝗵𝘁𝘀 𝗔𝗳𝘁𝗲𝗿 𝗖𝗼𝗺𝗺𝗲𝗻𝘁𝘀 to the 𝗙𝗿𝗲𝗲𝗕𝗦𝗗 𝗝𝗮𝗶𝗹𝘀 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 article.

https://vermaden.wordpress.com/2025/04/11/freebsd-jails-security/

Added 𝗨𝗣𝗗𝗔𝗧𝗘 𝟭 - 𝗧𝗵𝗼𝘂𝗴𝗵𝘁𝘀 𝗔𝗳𝘁𝗲𝗿 𝗖𝗼𝗺𝗺𝗲𝗻𝘁𝘀 to the 𝗙𝗿𝗲𝗲𝗕𝗦𝗗 𝗝𝗮𝗶𝗹𝘀 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 article.

https://vermaden.wordpress.com/2025/04/11/freebsd-jails-security/

My phone very suddenly died 3 months ago. But my old one was still working and so far I'm using it, still waiting to find a good offer for a new phone. Well, now my banking app stopped working (too old), but I can't upgrade either (android too old) ... sucks.

I need a new phone ASAP, but I needed an even quicker solution to use this app.

Luckily, I already have a #FreeBSD server with #bhyve and some #guacamole installation using #jails. With that, I could install #BlissOS (and even access it from my company's notebook)

i could really do with a #network and/or #jails review on D49843 if anyone feels like doing that. i’m pretty sure i am in the right here, but i won't get mentor approval to commit unless someone supports it.

"Letter after letter showed me a refreshing disregard for that invisible tyranny of taste determining what we 'should'—even 'must'—read."

Jackie Snow for The Los Angeles Review of Books‬: https://lareviewofbooks.org/article/reading-behind-bars-and-beyond-barriers

Amazing AMD publication of Open-Sourced GIM Driver For GPU Virtualization!

Marvelous!

https://www.phoronix.com/news/AMD-GIM-Open-Source

Today I saw that since Bastille's last release at the end of January there have been 625(!) commits to the repo. Many bug fixes, new features, subcommands, doc updates (), ...
Big props to Victor for working tiredlessly on the project. https://github.com/BastilleBSD/bastille/

Also, there have been some new videos on Bastille's Youtube channel: https://www.youtube.com/@BastilleBSD demonstration upcoming features in Bastille 0.14.

New 𝗙𝗿𝗲𝗲𝗕𝗦𝗗 𝗝𝗮𝗶𝗹𝘀 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 (𝘃𝗲𝗿𝘀𝘂𝘀 𝗣𝗼𝗱𝗺𝗮𝗻) [FreeBSD Jails Security (versus Podman)] article on the blog.

https://vermaden.wordpress.com/2025/04/11/freebsd-jails-security/

New 𝗙𝗿𝗲𝗲𝗕𝗦𝗗 𝗝𝗮𝗶𝗹𝘀 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 (𝘃𝗲𝗿𝘀𝘂𝘀 𝗣𝗼𝗱𝗺𝗮𝗻) [FreeBSD Jails Security (versus Podman)] article on the blog.

https://vermaden.wordpress.com/2025/04/11/freebsd-jails-security/

New 𝗔𝗿𝗲 𝗙𝗿𝗲𝗲𝗕𝗦𝗗 𝗝𝗮𝗶𝗹𝘀 𝗮 𝗖𝗼𝗻𝘁𝗮𝗶𝗻𝗲𝗿𝘀? (Are FreeBSD Jails a Containers?) on the blog.

https://vermaden.wordpress.com/2025/04/08/are-freebsd-jails-containers/