*UPDATE*Here is my 6.x How-To (http://www.networksynapse.net/index.php?/archives/3-FreeBSD-Jails.html#extended).

*UPDATE* I realized later that you can create another collision domain with your jails, but works easier by using the network that the main interface is on. I have updated the how-to to use this method instead, since most users will nmot want to deal with the routing involved in make multiple collision domains.

Well, here we are again, and for some reason jails have changed again without many warnings to changes. Setting jails up on FreeBSD has changed in a few ways, making some tutorials vague. So here's a more updated version:

To start out, make sure you have your source tree installed for FreeBSD. If you do not have this, run /stand/sysinstall, go to Configure, Distributions, and then "src". After you have your system preped and ready for jails to be added, start planning out your virtual network.

For an example, I'm going to set the IP to 10.0.0.86, and then run a jail off the main interface.


# ifconfig em0 10.0.0.86 255.255.255.255
# ifconfig em0 inet alias 10.0.0.88 netmask 255.255.255.255
# ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_MTU>
inet 10.0.0.86 netmask 0xff000000 broadcast 10.255.255.255
inet6 fe80::230:48ff:fe84:14d4%em0 prefixlen 64 scopeid 0x1
inet 10.0.0.88 netmask 0xffffffff broadcast 10.2.5.88
ether 00:30:48:84:14:d4
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active


Ok. So now we have our main interface at 10.0.0.86 and our aliased IP at 10.0.0.88. Since we don't want any inetd services listening on the aliased IP, we need to add a line to the /etc/rc.conf file.

inetd_flags="-wW -a 10.0.0.86"

Now to make the jail. First make the directory you want the jail in.

# mkdir /usr/jail/server1

Then we make the virtual system.

# make world DESTDIR=/usr/jail/server1
# cd etc
# make distribution DESTDIR=/usr/jail/server1
# cd /usr/jail/server1
# ln -sf /dev/null kernel

Once this is all done your jail is built and ready to be set. First, a few minor details to the setup.

# mkdir /usr/jail/server1/stand
# cp /stand/sysinstall /usr/jail/server1/stand/
# touch /usr/jail/server1/etc/fstab
# cat /etc/resolv.conf > /usr/jail/server1/etc/resolv.conf

So now we are ready to configure the jail for the first time. We start the jail with the jail command, like so:

# jail /usr/jail/server1 jail1.prision.com 10.0.0.88 /bin/sh

You will then be dropped to a new shell inside the jail. First, set your root password with 'passwd' or with 'sysinstall'. Also setup a user account to use when using SSH to enter. Make sure to also run 'newaliases' while in this environment, otherwise you will have issues with your jail starting with sendmail. Next, add the SSH enable line into your /etc/rc.conf (in the jail).

sshd_enable="YES"

Once you have this done, type 'exit' to leave the jail. Now, we need to mount the proc and dev filesystems for our jail.

# mount -t procfs proc /usr/jail/server1/proc
# mount -t devfs dev /usr/jail/server1/dev

and now to start it all up:

# jail /usr/jail/server1 jail1.prision.com 10.0.0.88 /bin/sh /etc/rc

Now you should be able to ssh to your new jail, and start configuring the services you wish to run inside.

To double check that your jail is running, run 'jls'


# jls
JID IP Address Hostname Path
1 10.0.0.88 jail1.prision.com /usr/jail/server1


Enjoy!

I knew about jails in FreeBSD 4.0 but never tried it until 5.1 and kicked myself for waiting so long. You can add pf and devfs rules to minimize what the jail has exposed to it and what it has access to. I'd highly recomend looking at jails.

I use a few jails to keep stuff seperated and consolidate boxes. Put DNS, irc shell, etc. in seperate jails and only let them access what they need and block everything else.

Updated this How-To, and tested for 6.x.

FreeBSD 6.x Jails (http://www.networksynapse.net/index.php?/archives/3-FreeBSD-Jails.html#extended)

This is very easy to read and to the point. Nice work Kernel_Killer.

You mentition making sure that the jails are listening to the aliased IP in any network services. You may want to suggest the same for the host box too. I remember leaving services listening on any and getting weird results until I had it listening to the main IP for the box. It wasn't too big of deal but it would be nice to add for clarity and completeness. Jail has improved quite a bit since then and perhaps it's not a big deal anymore.

Related news is that OpenBSD/NetBSD have a jail implementation called sysjail (http://sysjail.bsd.lv/). It uses systrace (http://www.openbsd.org/cgi-bin/man.cgi?query=systrace&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html) and chroot (http://www.openbsd.org/cgi-bin/man.cgi?query=chroot&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html) to create a jail. There was an article (http://undeadly.org/cgi?action=article&sid=20060814200305) on undeadly.org last week calling for testing. Very cool stuff.

Well, it is definatly something to do if you are having issues to make sure traffic gets where it needs to be, but it doesn't seem to be as mandatory anymore. Even having SSH on the jail listen to 0.0.0.0, everything was still good. Good practice to do such though. Thanks for the great input. :biggrin:

Does OpenBSD support jailing also, if not it seems odd an OS so tight on security is lacking such a good dimension

OpenBSD allows users to run server in a chroot enviroment. There is also (http://sysjail.bsd.lv/) avalible for Net/Open, however there is no native equivalent to FreeBSD's jail.

There's also systrace (http://en.wikipedia.org/wiki/Systrace) which can give jail-like security without needing to be run in a seperate area. You can combine it with a chroot and have as tight of a jail (or tighter) than anyone around. I've wanted jail in OpenBSD for a long time and then I realized I already had all the security benefits plus the seperate filesystem area was optional. :biggrin: