a) I didn't need much separation, I just wanted to run multiple environments on one box to save hardware; in this case, I enabled raw sockets, because it was convenient to ssh into the virtual environment and ping things.
b) things that I wanted really separate; for these environments, I left raw sockets disabled, the jail only contains the one executable (statically compiled); additionally, I also setup ipfw rules to prevent IP traffic from the jail from getting in or out, other than the specific things it was intended to do.
It shouldn't -- the permission is for user mode programs to access raw sockets, and user mode programs aren't needed to generate and handle normal MTU ICMPs (on both IPv4 and IPv6).
a) I didn't need much separation, I just wanted to run multiple environments on one box to save hardware; in this case, I enabled raw sockets, because it was convenient to ssh into the virtual environment and ping things.
b) things that I wanted really separate; for these environments, I left raw sockets disabled, the jail only contains the one executable (statically compiled); additionally, I also setup ipfw rules to prevent IP traffic from the jail from getting in or out, other than the specific things it was intended to do.