Implications of allow_raw_sockets=1

Richard Noorlandt lists.freebsd at
Sun May 31 19:06:17 UTC 2009

Hello everyone,

I have a server running FreeBSD 7.1-RELEASE, which contains a bunch of
jails that run all kinds of network services. One of the jails is running
Nagios, which will monitor hosts in the network. The most straightforward
way to let Nagios decide if a host is up or down, is by pinging other
hosts. However, by default this won't work because the
security.jail.allow_raw_sockets sysctl is set to '0'.

It would be nice if I was able to ping from the Nagios jail, but the risks
of setting security.jail.allow_raw_sockets=1 aren't really clear to me.
Some online searching suggests that the sysctl defaults to 0 because raw
sockets weren't fully virtualized in earlier versions of FreeBSD, but maybe
this has changed. Unfortunately I can't find a clear overview of the
security risks involved with allowing raw sockets.

So, what are the exact security implications of allowing raw sockets inside
jails on FreeBSD 7.1? And is there a way to restrict raw sockets to
specific jails?

Best regards,


More information about the freebsd-jail mailing list