FreeBSD jail中,可以使用ftp/http，但是无法ping和traceroute。
如何允许jail中的应用程序/用户执行traceroute和ping命令？

默认情况下，FreeBSD不允许Jail的用户/应用创建原始套接字。

将security.jail.allow_raw_sockets设置为1可使诸如ping和traceroute之类的实用程序在监狱内运行。

# sysctl security.jail.allow_raw_sockets=1

现在使用jexec登录到Jail：

host # jexec 1 csh
jail# ping theitroad.local

将以下行添加到sysctl.conf中：

# echo 'security.jail.allow_raw_sockets=1' >> /etc/sysctl.conf

关于MIB的说明

这是可选配置。 MIB之上的变量会影响系统上的所有JAIL。您可以使用主机防火墙(例如PF)拒绝或允许访问某些JAIL。

这是一个PF防火墙配置示例：

# interface 
int_if="em0"
ext_if="em1"

# ICMP types
icmp_types = "{ echoreq, unreach }"

# Allowed ips for traceroute 
troute_outbound_ips  = "{ 10.24.55.101,  10.24.55.103, 10.24.55.111  }"

# Allowed ips for ping
ping_outbound_ips  = "{ 10.24.55.103, 10.24.55.111 }"

# Some defaults 
set block-policy return
set loginterface $ext_if
scrub in all

# Drop ALL - drop incoming and  everything else 
block log all

# skip loopback and vpn interface 
set skip on {lo0, $int_if}
block in quick from urpf-failed
antispoof log for $ext_if

## your other rules STARTS ###
## add your other pf rules to open port and other stuff
# ...

# ...
## your other rules ENDS ###

### Allow ping and trace route from selected jails ###
pass out on $ext_if inet proto udp from $troute_outbound_ips to any port 33433 >< 33626 keep state

### Allow ping pong from selected jails ###
pass out on $ext_if inet proto icmp from $ping_outbound_ips to any icmp-type $icmp_types keep state