kern/130102: 'pfctl -d' from inside a jail disables pf on the jail host

Stefan Hegnauer stefan.hegnauer at
Thu Jan 1 21:20:02 UTC 2009

>Number:         130102
>Category:       kern
>Synopsis:       'pfctl -d' from inside a jail disables pf on the jail host
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 01 21:20:01 UTC 2009
>Originator:     Stefan Hegnauer
>Release:        7.1-PRERELEASE #9
FreeBSD jailhost.x.y.z 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #9: Wed Dec 31 09:05:43 CET 2008     root at jailhost.x.y.z:/usr/obj/usr/src/sys/IBMT20  i386
I have a jail host ( with two jails running, webjail ( and mailjail ( The host uses pf for some additional protection on the single network interface facing my DMZ router, with rules for the two jailed hosts. So far everything seems to work as intended.
The setup of the jails is according to the descriptions in the jail(8) manual page with no deviations.

If I use pfctl(8) as root in one of the jails it is possible to control pf(4) that runs on the host. For example I can disable pf on the host altogether using 'pfctl -d', or re-enable it again with 'pfctl -e', or load a different ruleset with 'pfctl -f <rulefile>' etc. 
It seems that pfctl easily gets out of the jail which I did not expect, and I did also not find any reference of this behaviour in the handbook, the FAQ, the PR database or anywhere else on the net
- have enabled in the kernel (device pf, device pflog)
- set up a jail system with at least one jail according to jail(8) man page
- run pf on the host, load some rules and enable pf (pfctl -ef <rule_file>)
- run 'pfctl -d' as root within a jail -> pf is disabled on the host (pfctl -si)


More information about the freebsd-bugs mailing list