diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index 53544f1f4b9e..09c4a63ffaab 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -419,7 +419,10 @@ is set, the source IP addresses are enforced to comply
 with the IP address bound to the jail, regardless of whether or not
 the
 .Dv IP_HDRINCL
-flag has been set on the socket.
+flag has been set on the socket. Because raw sockets can be used to configure
+and interact with various network subsystems, extra caution should be used
+where privileged access to jails is given out to untrusted parties. As such,
+by default this option is disabled.
 .It Va security.jail.getfsstatroot_only
 This MIB entry determines whether or not processes within a jail are able
 to see data for all mountpoints.