Easy and lightweight jails with BastilleBSD

HowTo create jails with Bastille 0.8

TDLR of https://github.com/BastilleBSD/bastille/ (updated for Bastille 0.8.20210115)

install bastille

Bastille is very active so make sure you switch to latest pkg mirror

vim /etc/pkg/FreeBSD.conf
FreeBSD: {
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/share/keys/pkg",
  enabled: yes

enable bastille

sysrc bastille_enable=YES

create virtual network bridge

sysrc cloned_interfaces+=lo1
sysrc ifconfig_lo1_name="bastille0"
service netif cloneup

edit /etc/pf.conf (add the lines without #)


set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if:1)

## Enable dynamic rdr (see below) bastille 0.7+
rdr-anchor "rdr/*"

block in all
pass out quick keep state
antispoof for $ext_if inet #disable for VNET
pass in inet proto tcp from any to any port ssh flags S/SA keep state

add ZFS support (check zpool with “zpool list”)

sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_enable=YES
sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_zpool=zroot #check with "zpool list"

bootstrap and create jail

bastille bootstrap 12.2-RELEASE
bastille create testjail 12.2-RELEASE

Since 0.8 Bastille will start the jail after creation in order to apply the standard templates.

bastille pkg install vim-console tmux
bastille console testjail


  • If you want to use VNET jails within the same subnet as the host you need remove the antispoof rule in pf.conf.
  • If you don’t want to start all jail on boot you can use bastille_list in rc.conf. sysrc bastille_list+=testjail sysrc bastille_list-=oldjail