Implications of allow_raw_sockets=1

Justin G. justin at
Sun May 31 22:10:30 UTC 2009

On Sun, May 31, 2009 at 11:49 AM, Richard Noorlandt
<lists.freebsd at> wrote:
> Hello everyone,
> I have a server running FreeBSD 7.1-RELEASE, which contains a bunch of
> jails that run all kinds of network services. One of the jails is running
> Nagios, which will monitor hosts in the network. The most straightforward
> way to let Nagios decide if a host is up or down, is by pinging other
> hosts. However, by default this won't work because the
> security.jail.allow_raw_sockets sysctl is set to '0'.
> It would be nice if I was able to ping from the Nagios jail, but the risks
> of setting security.jail.allow_raw_sockets=1 aren't really clear to me.
> Some online searching suggests that the sysctl defaults to 0 because raw
> sockets weren't fully virtualized in earlier versions of FreeBSD, but maybe
> this has changed. Unfortunately I can't find a clear overview of the
> security risks involved with allowing raw sockets.
> So, what are the exact security implications of allowing raw sockets inside
> jails on FreeBSD 7.1? And is there a way to restrict raw sockets to
> specific jails?
> Best regards,
> Richard
> _______________________________________________
> freebsd-jail at mailing list
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe at"

At this time there is no way to set allow_raw_sockets on a per-jail basis.

Raw sockets can allow processes to sniff onto the network, craft
malformed packets, execute DDoS attacks, inject packets, among other

More information about the freebsd-jail mailing list