User Tools

Site Tools


appserverwithezjail

This guide only applies if you are using a non internet routable ip for a jail. If you have a routable ip you can simply alias that to your network interface.

The following uses ezjail to set things up but it's not required. You can apply the network settings to any jail you setup. Following these instructions you should be able to get up and running in 5 - 10 minutes. I've included what to add to your config files but you can configure and start everything from the shell without a reboot. Even though this guide uses ezjail I highly recommend reading the handbook section on jails so you have a solid understanding of what's going on.

External Resources

Installing Ezjail

cd /usr/ports/sysutils/ezjail/ && make install clean
man ezjail-admin at the shell prompt to get a basic understanding of the commands

Now we're going to install the basejail that all jails you create will use.

ezjail-admin install

You can add a -P flag to have the ports collection installed in the basejail for all your jails to use. You can add the ports collection to the basejail at a later time also. The -P flag will also later update the ports collection of the basejail using portsnap.

Creating a Jail

Next we'll create the jail for our webserver.

ezjail-admin create WEBSERVER 10.1.1.1

System Startup

Add the following to your hosts rc.conf.

<box 100% round blue|/etc/rc.conf>

#Setup interface all jails will use
#Make sure this netmask is unique in your rc.conf
cloned_interfaces="lo1"
ifconfig_lo1="inet 10.1.1.1 netmask 255.255.255.0"

#Future jails can look like the following, aliases should always use 255.255.255.255 netmask
#ifconfig_lo1_alias0="inet 10.1.1.2 netmask 255.255.255.255"

# Enable port forwarding and packet filtering
pf_enable="YES"
pf_rules="/etc/pf.conf"

# Jails
ezjail_enable="YES"

</box>

To add your jails IP to a cloned loopback device via the shell enter the following at the shell prompt (this is not required if you plan on rebooting after all your configuration files are setup). Also unless you have your rc.conf setup this will not persist through a reboot.

ifconfig lo1 create
ifconfig lo1 inet 10.1.1.1 netmask 255.255.255.0

PF Firewall

Setup PF NAT, change ext_if to reflect what your interface is (check via ifconfig).

<box 100% round blue|/etc/rc.conf>

#INTERFACES
ext_if="em0"
int_if = "lo1"
jailnet = $int_if:network

# NAT
nat on $ext_if from $jailnet to any -> ($ext_if)

</box>

Some useful PF commands to check to make sure everything is working and setup correctly:

pfctl -e 	                Enable PF
pfctl -vnf /etc/pf.conf 	Check /etc/pf.conf for errors, but do not load ruleset
pfctl -F all -f /etc/pf.conf 	Flush all rules (nat, filter, state, table, etc.) and reload from the file /etc/pf.conf

If you haven't setup your network device via the shell prompt you now need to reboot so FreeBSD can load all your changed configuration files.

Setting Up The Jail

Once all the proceeding is running we can enter the jail.

ezjail-admin console WEBSERVER

Setup the jails resolv.conf (you can use different nameservers here). Your hosts /etc/resolv.conf can be copied to your jail if you don't want to use the google nameservers.

<box 100% round blue|/etc/resolv.conf (inside the jail, note resolv doesn't have a trailing “e”)>

# google nameservers
nameserver 8.8.8.8
nameserver 8.8.4.4

</box>

Your jail should have network access now. If not type exit to return to the hosts shell and make sure your NAT rules are loaded.

pfctl -s nat

If no rules are displayed it means that either PF isn't enabled or there is an error in your pf.conf. At the shell prompt type “pfctl -vnf /etc/pf.conf” to check your pf.conf for errors. If there are no errors make sure PF is enabled “pfctl -e”. You should also remove any blocking rules from your pf.conf to ensure that isn't causing a problem.

You can't ping from inside jails because raw sockets are disabled. If dig and whois work then your jails network access is working. If you need to use ping you can change the following setting on your host.

sysctl security.jail.allow_raw_sockets=1

You will need to restart your jail for the changes to take affect. Make sure to disable raw sockets once you are done testing.

sysctl security.jail.allow_raw_sockets=0

Redirecting Traffic To Jail

Now that all the basics are setup we can add a redirect for incoming traffic. This will redirect port 80 on the host system to the jail which is running the webserver (you can change these ports to match whatever application you are running in your jail).

<box 100% round blue|/etc/pf.conf>

#INTERFACES
ext_if="em0"
int_if = "lo1"
jailnet = $int_if:network

# Name and IP of jails
WEBSERVER="10.1.1.1"

# NAT
nat on $ext_if from $jailnet to any -> ($ext_if)

# Redirect any packets requesting port 80 or 443 to jailed webserver
rdr pass on $ext_if inet proto tcp to port http -> $WEBSERVER port http
rdr pass on $ext_if inet proto tcp to port https -> $WEBSERVER port https

</box>

Jail Startup

With everything up and running we can further tweak the jail.

  • Create an empty /etc/fstab via touch /etc/fstab
  • Run newaliases to quell sendmail warnings.
  • Set a root password, probably different from the real host system (type passwd at the shell prompt of the jail)
  • Set the timezone (via tzsetup at the shell prompt of the jail)

<box 100% round blue|/etc/rc.conf>

network_interfaces=""           # Quell startup warnings about ifconfig
rpcbind_enable="NO"             # Disable the RPC daemon
cron_flags="$cron_flags -J 15"  # Prevent lots of jails running cron jobs at the same time
syslogd_flags="-ss"             # Disable syslogd listening for incoming connections
sendmail_enable="NONE"          # Completely disable sendmail
clear_tmp_enable="YES"          # Clear /tmp at startup

</box>

<box 100% round blue|/etc/crontabs Comment out the following line>

# Adjust the time zone if the CMOS clock keeps local time, as opposed to
# UTC time.  See adjkerntz(8) for details.
#1,31   0-5     *       *       *       root    adjkerntz -a

</box>

Jail Security

Once any software is installed on a system monitoring potential vulnerabilities in that software is very important. Portaudit provides a system to check if installed ports are listed in a database of published security vulnerabilities. Portaudit will update the security database automatically and include its reports in the output of the daily security run. The host system can easily be setup to check the installed ports inside all jails.

ON THE MAIN HOST SYSTEM

portmaster --packages-build --delete-build-only --force-config ports-mgmt/portaudit

Portaudit will automatically check the host system. To have each jail checked in the daily security run output create the following file.

<box 100% round blue|/usr/local/etc/periodic/security/420.jailportaudit & chmod 555>

#!/bin/sh

RET_VAL=""

get_jail_name()
{
    jid=$1
    RET_VAL=`jls | egrep "^ +$jid " | awk '{print $3}'`
}

check_jail()
{
    jid=$1

    get_jail_name $jid
    echo "==== checking jail :: " $RET_VAL " :: ===="
    /usr/sbin/jexec $jid pkg_info | /usr/bin/awk '{print $1}' | /usr/bin/xargs /usr/local/sbin/portaudit
    echo
}

main()
{
    param=$1 

    for i in `jls | tail +2 | awk '{print $1}'`
    do
        check_jail $i
    done
}


main $@

</box>

Finishing Up

You should now be able to go back and add jails and services that you want very easily. Take a look at ezjail flavours to tailor a jails initial setup to your needs. Also once you have things setup you can edit your hosts pf.conf to actually block certain traffic and test to make sure that works accordingly. But both of those things are beyond the scope of this HowTo though.

I hope this helps people out.

appserverwithezjail.txt · Last modified: 2014/10/02 14:18 by admin