soup4you2
October 23rd, 2003, 20:35
Ok here's a rather unique question.

say you setup a freebsd jail. you cant ping or do anything on the outside... so hows one supposed to setup a process like postfix where it checks to see if the domain exists?

well the overall goal in my project is i've make it so i can jail specific ssh users or groups to their own jailed enviroment.. but certain users i would still like to be able to use irc or whatever they do.. plus it's nice having ssh users without actually needing a valid system account. the ssh jailing portion works great so far.. ie see below:

[code:1:a691fef853]
Sep 16 19:32:35 XXXXXXXXX sshd[86775]: Connection from XX.XX.XX.XX port 49526
Sep 16 19:32:36 XXXXXXXXX sshd[86775]: Jailing session. [user=USERNAME,chroot=/chroot/sshd/USERNAME]
[/code:1:a691fef853]

but i want them to have outside access, any thoughts?

if it helps here's some background info:

rc.conf settings
[code:1:a691fef853]
jail_set_hostname_allow="NO"
jail_socket_unixiproute_only="YES"
jail_sysvipc_allow="NO"
jail_stop_jailer="NO"

jail_sshd_rootdir="/chroot/sshd/jail"
jail_sshd_hostname="solarflare.bsdhound.com"
jail_sshd_ip="10.0.4.1"
jail_sshd_exec="/bin/sh /etc/rc"
jail_sshd_devfs_enable="YES"
jail_sshd_fdescfs_enable="NO"
jail_sshd_procfs_enable="NO"
jail_sshd_devfs_ruleset="11"
[/code:1:a691fef853]

the devfs rulesets are basically:

[code:1:a691fef853]
[devfsrules_jail_sshd=11]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
[/code:1:a691fef853]

Now i've even assigned some pf rules to try to redirect the traffic though squid.

[code:1:a691fef853]# Solarflair Access
rdr on $int_if proto tcp from $solarflair to any port 80 -> 10.0.2.1 port 3128
rdr on $int_if proto tcp from $solarflair to any port 443 -> 10.0.2.1 port 3128
rdr on $int_if proto tcp from $solarflair to any port 563 -> 10.0.2.1 port 3128
rdr on $int_if proto tcp from $solarflair to any port 21 -> 10.0.2.1 port 3128
rdr on $int_if proto tcp from $solarflair to any port 1025:65535 -> 10.0.2.1 port 3128
rdr on $int_if proto tcp from $solarflair to any port 53 -> 10.0.3.1 port 53
rdr on $int_if proto udp from $solarflair to any port 53 -> 10.0.3.1 port 53
[/code:1:a691fef853]

Now if i go into the jail like normal either by

jail /chroot/sshd/jail solarflair 10.0.4.1 /bin/sh
or by
jls 11 /bin/sh

i can browse around just fine.. Anybody know of ways i can enable networking inside the jail?

i guess i could take the wimpie way outta this and write a login script to jail their session then logout once leaving the jail but the goal is to keep ssh accounts seperate from system accounts.

frisco
October 23rd, 2003, 20:47
http://www.freebsdforums.org/forums/showthread.php?threadid=14126


Network stack cloning/virtualization patches allow for multiple fully independent network
stacks to simultaneously coexistst in a single FreeBSD kernel. Combined with
jail-style separation between user processes and with proportional-share
extensions to the standard BSD CPU scheduler, the patched kernel can
efficiently provide isolated and controllable pseudo virtual machine
environments.


Sounds like what you're looking for...

soup4you2
October 23rd, 2003, 21:08
oh my god!! you are the man.. i've been fighting this problem for 4 months now..

--UPDATE

Damm it's 4.8

i tried editing the c files by hand but there's some major diffrences going on.. i did however find this old email:


> Hi Marko,
>
> On Fri, Sep 12, 2003 at 03:05:15PM +0200, Marko Zec wrote:
> > Network stack cloning patches allow for multiple fully independent network
> > stacks to simultaneously coexistst in a single FreeBSD kernel. Combined with
> [snip]
>
> Your work is most interesting. I look forward to using it as a resource
> from which to learn when researching a prospective policy routing
> implementation for the 5.2 line of development, after the locking work
> has been finished.
>
> Have you considered porting your work to 5.x, perhaps as a Perforce project?

Sure, however until now my plans for doing a port to 5.x were blocked due to
ENOTIME|ENOFUN. I guess a good point for starting such efforts would be after 5.2
is released, when the recent changes -CURRENT network stack have settled down a
little bit. I'll be in need for a lot of help and guidance with 5.x specifics
though...
Cheers,

Marko

soup4you2
October 24th, 2003, 09:12
I've found a way around this.. not what my overall intended goal way but it actually work good this way for a few reasons.. thanks for your help frisco

rob897
October 25th, 2003, 00:31
Ok just want you guys to know that all the stuff you just talked about, makes me feel completely STUPID. Granted I am new to FreeBSD, but eventually I want to be able to comprehend 90% of everything that is mentioned on this site. Do you guys have any suggestions how I can make myself learn this? I have the Complete FreeBSD book but to read it and understand what something is actually used for in the real world, just isn't sticking. Any thoughts are appreciated. I think I completed the 1st part by killing my Windose machine entirely, forcing myself to use only FreeBSD.

hoserian
October 25th, 2003, 00:34
i completely understand how you feel, rob. I myself just took that step of obliterating windows as well. certainly has made for some interesting times so far.

rob897
October 25th, 2003, 00:40
well at least I feel like I have accomplished something when I work with FreeBSD. I think I am the only one at work running it, everyone else is all Win, or Linux.

bsdjunkie
October 25th, 2003, 09:19
I think soup is the expert at jailing any service in fbsd. I doubt there is a process on his box that runs normally =)

soup4you2
October 25th, 2003, 15:54
It's fun.... i was showing kernel killer one of my jails last night... i think he likes it.. it's rare now that i sit on the base system i normally do my work inside jails..

Kernel_Killer
September 24th, 2004, 00:41
So is there a better way to going about it now? I'm using 4.10 for my ssh jail. I can ssh in and out, but can't do any ICMP requests, or use any other TCP or UDP services.

soup4you2
September 24th, 2004, 18:24
So is there a better way to going about it now? I'm using 4.10 for my ssh jail. I can ssh in and out, but can't do any ICMP requests, or use any other TCP or UDP services.

did you setup the network on the jails and use NAT to connect them?

here's a snip from a older setup i had w/ pf


nat on $ext_if from $int_if:network to any -> ($ext_if)

rdr on $ext_if proto tcp from any to $ext_if port 80 -> $www port 80
rdr on $ext_if proto tcp from any to $ext_if port 22 -> $ssh port 22
rdr on $ext_if proto tcp from any to $ext_if port 25 -> $mail port 25
rdr on $ext_if proto tcp from any to $ext_if port 443 -> $mail port 443
rdr on $ext_if proto tcp from any to $ext_if port 993 -> $mail port 993
#rdr on $ext_if proto tcp from any to $ext_if port 6112 -> $nibbles port 6112

# Give Those Jails Just a little outside access
nat on $ext_if from $www to any -> ($ext_if)
nat on $ext_if from $mail to any -> ($ext_if)
nat on $ext_if from $ssh to any -> ($ext_if)
nat on $ext_if from $accounting to any -> ($ext_if)

Kernel_Killer
September 25th, 2004, 00:13
here's the deal. You can SSH to from outside of the network, and you can ssh out of it. The only problem is that any other service going out is not permitted. ICMP is not permitted as well. So traceroute and ping are useless. I have it set on the firewall of the system to let all traffic going out of it to be allowed. I'll check on it more later. The main drive on that system is flaking out, and cannot even boot.