Throw-Away Browser on FreeBSD With "pot" Within 5 Minutes


pot is a great and relatively new jail management tool. It offers DevOps style provisioning and can even be used to provide Docker-like, scalable cloud services together with nomad and consul (more about this in Orchestrating jails with nomad and pot).

When using FreeBSD on your desktop, you can also use it simply to easily create “throw away” browser jails. That way, the browser environment is reliably and completely erased and reset each time you re-create it with one single, simple command.

Please note that all the pot commands below should be run as root.

Setting up pot

Installing and setting up potis described in detail on but it is quite straight-forward if you stick to the sensible defaults:

$ pkg install pot
$ pot init -v

Creating the Jail Flavour (Template)

After that, we create a pot flavour that contains all the details about our browser jail in /usr/local/etc/pot/flavours.

The flavour contains of two simple files in this directory.


set-attribute -A no-rc-script -V YES
set-attribute -A persistent -V NO



[ -w /etc/pkg/FreeBSD.conf ] && sed -i '' 's/quarterly/latest/' /etc/pkg/FreeBSD.conf
ASSUME_ALWAYS_YES=yes pkg bootstrap
touch /etc/rc.conf
sysrc sendmail_enable="NONE"
sysrc sshd_enable="YES"

echo myjailpassword | pw add user ffoxuser -h 0
mkdir /home/ffoxuser
chown ffoxuser /home/ffoxuser

pkg install -y xauth firefox 
pkg clean -y

Make the shell script executable (otherwise it is ignored by pot):

$ chmod ugo+x

Of course you could instead of firefox also install chromium or any other browser or application.

Creating a One-Time Jail and Running Your Browser

Now you can simply create the jail with

$ sudo pot create -p onetime-browser -b 12.1 -N public-bridge -t single -f browser

and watch the output:

===>  Creating a new pot
===>  pot name : onetime-browser 
===>  type : single
===>  base : 12.1
===>  pot_base :
===>  level : 0
===>  network-type: public-bridge
===>  ip :
===>  bridge :
===>  dns : inherit
===>  flavours : browser
===>  Fetching FreeBSD 12.1

You will note that pot assigns a private IP address to the jail, in the case above

Start the browser jail with

$ pot start onetime-browser

and then start firefox in the jail with

$ ssh -X ffoxuser@ firefox

If necessary, replace the IP address with the IP address from your output.

If you copied the configuration from above, the password you will be asked for is myjailpassword.

Clean Up Afterwards…

As soon as you are done browsing and you have closed the browser session, stop the jail with

$ pot stop onetime-browser

and delete the jail with

$ pot destroy -p onetime-browser

All the data associated with your browsing session will be completely removed.

…Or Use Snapshots

A lot more efficient than recreating the jail from scratch each time would be taking a snapshot immediately after creating the jail with

$ pot snapshot -p onetime-browser

and instead of deleting the jail simply roll back to it after having finished browsing:

$ pot revert -p onetime-browser