Afenioux's Blog page

3am; darkness; Maintenance window closing. Safety net: rollback.

FreeBSD Jails

Written by Arnaud no comments

We will use ezjail to make it easier :

pkg install ezjail
ezjail-admin install
service ezjail start

Create your first jail and connect to it (we will NAT the jail in this example):

ezjail-admin create myjailname 'lo1|10.11.12.1'
ezjail-admin start myjailname
ezjail-admin list
ezjail-admin console myjailname

Allow raw sockets (needed for ping, but not recommanded) by editing /usr/local/etc/ezjail/myjailname:

export jail_myjailname_parameters="allow.raw_sockets=1"

Enable features on skeleton of jails :

echo sshd_enable="YES" >> /usr/jails/newjail/etc/rc.conf

Enable NAT and port redirection in /etc/pf.conf:

ext_if = "em0"
int_if = "lo1"
rdr on $ext_if proto udp to port 1194 -> 10.11.12.1 port 1194
nat on $ext_if from $int_if:network -> ($ext_if)

Start PF and Check/Load PF config :

service pf onestart
pfctl -vf /etc/pf.conf
pfctl -e

Enable at startup in /etc/rc.conf :

gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
ezjail_enable="YES"
 

more about PF : https://www.freebsd.org/doc/handbook/firewalls-pf.html

more about ezjail : https://www.freebsd.org/doc/handbook/jails-ezjail.html

Classified in : UNIX Tags : none

Comments are closed.

Rss feed of the article's comments