> For the complete documentation index, see [llms.txt](https://book.bsdcn.org/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.bsdcn.org/ask/flat/chapter-33-linux-jails/di-33.1-jie-linux-jail-ji-chu.md).

# 33.1 Linux Jail Basics

Linux Jail is a feature of the FreeBSD operating system used to run Linux binaries and applications within a Jail. It works by integrating a compatibility layer in the FreeBSD kernel that translates Linux system calls into corresponding FreeBSD native system calls. Linux Jail enables FreeBSD systems to run Linux software without the need to deploy a separate Linux virtual machine or runtime environment.

The following introduces the initial configuration for deploying a Linux Jail within a FreeBSD Jail.

## Prerequisites

This section binds all Jails to the virtual network interface `lo1`, forming a local area network within the FreeBSD system, where the FreeBSD host acts as the gateway.

All Jail network traffic must pass through the network interface `lo1`, so network forwarding must be enabled. This section uses the pf firewall to accomplish this.

> **Note**
>
> The pf firewall must be configured to implement network access control.

## Prepare the Network Interface

Add and enable the cloned network interface lo1:

```sh
# sysrc cloned_interfaces+="lo1"
# service netif cloneup
```

## Prepare the pf Firewall

Two configuration methods are provided; choose as needed.

### Method One

A table in the pf firewall is a named structure used to store a collection of addresses and networks. Addresses in the table can access the network through NAT.

Even when no rules reference a table, the `persist` flag ensures the firewall always retains it, preventing the table from being automatically cleared when firewall rules are reloaded.

Edit the **/etc/pf.conf** file and add the following configuration:

```ini
table <jails> persist
pass out on em0 inet from <jails> to any nat-to (em0)
```

> **Tip**
>
> In practice, replace the interface name `em0` and each Jail's IP address with the actual configuration in your environment.

You can use `pfctl` to add or remove entries from the `jails` table to control network access. For example:

* `pfctl -t jails -T add 192.168.5.1` adds **192.168.5.1** to the jails table, allowing it to access the network.
* `pfctl -t jails -T delete 192.168.5.1` removes **192.168.5.1** from the jails table, preventing it from accessing the network.

This method requires manual management but offers greater flexibility.

### Method Two

Write the rule directly in the **/etc/pf.conf** file:

```ini
pass out on em0 inet from 192.168.5.1 to any nat-to (em0)
```

This method allows **192.168.5.1** to access the network. The rules are fixed in the configuration file, which is more convenient for scenarios without special requirements.

## Enable the pf Firewall

Even without using firewall rules, the pf service must be enabled to implement NAT functionality. For instructions on enabling the pf firewall, refer to other chapters.

## Load the Linux Binary Compatibility Layer (Linuxulator) Kernel Module

Enable and start the Linux compatibility layer service. This method automatically loads the various kernel modules required by the Linux compatibility layer:

```sh
# service linux enable
# service linux start
```

## Prepare Directories

Create a directory for storing Jail-related files:

```sh
# mkdir /usr/jails
```

## File Structure

```sh
/usr/jails/
├── debian/          # Debian 12 Jail root directory
│   ├── dev/         # devfs mount point
│   ├── dev/shm/     # tmpfs mount point
│   ├── dev/fd/      # fdescfs mount point
│   ├── proc/        # linprocfs mount point
│   ├── sys/         # linsysfs mount point
│   └── tmp/         # nullfs mount point
├── ubuntu/          # Ubuntu 22.04 Jail root directory
│   ├── dev/
│   ├── dev/shm/
│   ├── dev/fd/
│   ├── proc/
│   ├── sys/
│   ├── tmp/
│   └── tmp/.X11-unix/  # X11 socket mount point
├── antix/           # antiX Linux Jail root directory
│   ├── dev/
│   ├── dev/shm/
│   ├── dev/fd/
│   ├── proc/
│   ├── sys/
│   └── tmp/
├── alpine/          # Alpine Linux Jail root directory
│   ├── dev/
│   ├── dev/shm/
│   ├── dev/fd/
│   ├── proc/
│   └── sys/
└── freebsd-jail/    # FreeBSD Jail root directory

/etc/
├── fstab.debian     # fstab configuration for Debian Jail
├── fstab.ubuntu     # fstab configuration for Ubuntu Jail
├── fstab.antix      # fstab configuration for antiX Jail
├── fstab.alpine     # fstab configuration for Alpine Jail
├── jail.conf        # Jail main configuration file
├── pf.conf          # PF firewall configuration
└── rc.conf          # System startup configuration
```

## References

* FreeBSD Wiki. LinuxApps\[EB/OL]. \[2026-03-25]. <https://wiki.freebsd.org/LinuxApps>. Lists Linux applications and methods running on FreeBSD, providing reference for compatibility practices.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.bsdcn.org/ask/flat/chapter-33-linux-jails/di-33.1-jie-linux-jail-ji-chu.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.