{"id":595,"date":"2012-01-08T06:17:31","date_gmt":"2012-01-08T06:17:31","guid":{"rendered":"http:\/\/poojanwagh.opalstacked.com\/techblog\/?p=595"},"modified":"2012-01-17T13:21:23","modified_gmt":"2012-01-17T13:21:23","slug":"set-up-vimagevnet-jail-on-freebsd-8-2","status":"publish","type":"post","link":"https:\/\/tech.poojanblog.com\/blog\/unix-linux\/set-up-vimagevnet-jail-on-freebsd-8-2\/","title":{"rendered":"Set up vimage\/vnet jail on FreeBSD 8.2"},"content":{"rendered":"

With epair, there are two interfaces created epair0a<\/code> and eapir0b<\/code> that are direct connections between each other (like an Ethernet cable). When used with jails using an ifconfig<\/code> vnet<\/code> command, one side (epair0b<\/code> for example) sgoes inside the jail. Since the other side of this virtual direct-connection stays on the outside of the jail, the epair<\/code> pairs act as an Ethernet tunnel inside\/outside the jail. You can use firewall rules either outside the jail or inside the jail to control traffic.<\/p>\n

<\/p>\n

I’m using ezjail-admin with the following patch to \/etc\/rc.d\/jail (taken from the FreeBSD Forums<\/a>):<\/p>\n\n

638,639c638,644\r\n<               eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \\\r\n<                       \\\"${_addrl}\\\" ${_exec_start} > ${_tmp_jail} 2>&1\r\n---\r\n>               if [ -z \"${_addrl}\" ] ; then\r\n>                       eval ${_setfib} jail -i ${_flags} path=${_rootdir} host.hostname=${_hostname} \\\r\n>                               command=${_exec_start} > ${_tmp_jail} 2>&1\r\n>               else\r\n>                       eval ${_setfib} jail -i ${_flags} ${_rootdir} ${_hostname} \\\r\n>                                 \\\"${_addrl}\\\" ${_exec_start} > ${_tmp_jail} 2>&1\r\n>               fi\r\n<\/code><\/pre>\n
For example, I have two jails. I create the interfaces like so in [ccie]\/etc\/rc.conf[\/ccie]:<\/p>\n<\/p>\n
# ezjail with vimage\/epair config
\n# http:\/\/forums.freebsd.org\/showthread.php?t=9006
\n# http:\/\/lifanov.com\/doc\/vimage.html
\ncloned_interfaces=”epair0 epair1 bridge0″
\nifconfig_epair0a=”up”
\nifconfig_epair1a=”up”
\nifconfig_bridge0=”name jailbridge addm re0 up”<\/p>\n
<\/code>\n
On the inside of the jail, I just need to set the IP address of the epair0b<\/code> and epair1b<\/code> interfaces. I’m using ezjail Here’s a sample [ccie]\/usr\/local\/etc\/ezjail\/<jail_name>[\/ccie], in this case for a subsonic server:<\/p>\n<\/p>\n
# To specify the start up order of your ezjails, use these lines to
\n# create a Jail dependency tree. See rcorder(8) for more details.
\n#
\n# PROVIDE: standard_ezjail
\n# REQUIRE:
\n# BEFORE:
\n#<\/p>\n
# vnet stuff: http:\/\/forums.freebsd.org\/showthread.php?t=9006
\n# http:\/\/lifanov.com\/doc\/vimage.html
\n# http:\/\/zewaren.net\/site\/?q=node\/71
\nexport jail_subsonic_flags=”-c vnet name=subsonic”
\n#export jail_subsonic_exec_prestart0=”ifconfig epair0 create”
\n#export jail_subsonic_exec_prestart1=”ifconfig epair0a up”<\/p>\n
# sometiems rc.conf doesn’t do this:
\nexport jail_subsonic_exec_prestart0=”ifconfig jailbridge addm re0″
\nexport jail_subsonic_exec_prestart1=”ifconfig jailbridge addm epair0a up”
\nexport jail_subsonic_exec_prestart2=”mount_nullfs -o ro \/tank\/music \/usr\/jails\/subsonic\/var\/music”
\nexport jail_subsonic_exec_prestart3=”mount_nullfs -o rw \/tank\/music\/Playlists \/usr\/jails\/subsonic\/var\/playlists”<\/p>\n
export jail_subsonic_exec_poststart0=”ifconfig epair0b vnet subsonic”
\n#export jail_subsonic_exec_poststart1=”jexec subsonic \/etc\/rc.d\/ipfw start”
\nexport jail_subsonic_exec_poststart1=”jexec subsonic ifconfig lo0 127.0.0.1″
\nexport jail_subsonic_exec_poststart2=”jexec subsonic ifconfig epair0b 192.168.1.9 netmask 255.255.255.0″
\nexport jail_subsonic_exec_poststart3=”jexec subsonic route add default 192.168.1.1″
\nexport jail_subsonic_exec_poststop0=”umount \/usr\/jails\/subsonic\/var\/music”
\nexport jail_subsonic_exec_poststop1=”umount \/usr\/jails\/subsonic\/var\/playlists”<\/p>\n
export jail_subsonic_hostname=”subsonic”
\nexport jail_subsonic_ip=””
\nexport jail_subsonic_rootdir=”\/usr\/jails\/subsonic”
\nexport jail_subsonic_exec_start=”\/bin\/sh \/etc\/rc”\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # \/bin\/sh \/etc\/rc by default
\nexport jail_subsonic_exec_stop=””
\nexport jail_subsonic_mount_enable=”YES”
\nexport jail_subsonic_devfs_enable=”YES”
\nexport jail_subsonic_devfs_ruleset=”devfsrules_jail2″
\nexport jail_subsonic_procfs_enable=”NO”
\nexport jail_subsonic_fdescfs_enable=”NO”
\nexport jail_subsonic_image=””
\nexport jail_subsonic_imagetype=””
\nexport jail_subsonic_attachparams=””
\nexport jail_subsonic_attachblocking=””
\nexport jail_subsonic_forceblocking=””
\nexport jail_subsonic_zfs_datasets=””
\nexport jail_subsonic_cpuset=””
\nexport jail_subsonic_fib=””
\n<\/code>\n
Also, don’t forget that you need something like the following within your jail’s \/etc\/resolv.conf<\/code>:<\/p>\n
\nnameserver 192.168.1.1
\n<\/code>\n
I’m using FreeBSD’s IPFW. I have it set up so that it by default passes all packets. I can then control all firewall rules from the host (rather than in the jail). The last line of my host rules is a deny all to implementing the blocking on the host. I leave default rules within the jails (with epair\/vnet each jail gets its own firewall rules). I have things set up like:<\/p>\n<\/p>\n
oif=”re0″\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # out interface
\njail_brif=”jailbridge”\u00a0 # jail interface
\nsubsonic_ip=”192.168.1.9″ # jail IP
\nipdns=”192.168.1.1″
\nks=”keep-state”
\ncmd=”\/sbin\/ipfw -q add ”<\/p>\n
…<\/p>\n
$cmd 02000 allow ip from any to any via $oif
\n$cmd 03300 allow log icmp from $ipdns to $subsonic_ip $ks
\n$cmd 03310 allow log icmp from $ipdns to $jabber_ip $ks
\n$cmd 03350 allow log icmp from $subsonic_ip to $ipdns $ks
\n$cmd 03355 allow log icmp from $jabber_ip to $ipdns $ks
\n# DNS:
\n$cmd 03400 allow udp from $subsonic_ip to $ipdns 53 $ks
\n# subsonic:
\n$cmd 04500 allow ip from any to $subsonic_ip dst-port 8180 setup $ks
\n# allow last.fm scrobbling (etc):
\n$cmd 06600 allow log ip from $subsonic_ip to any dst-port 80 setup $ks
\n$cmd 06700 allow log ip from $subsonic_ip to any dst-port 443 setup $ks
\n$cmd 65500 deny log ip from any to any
\n<\/code>\n
It’s been a while since I set this up, and I’m not sure if the allow all on $oif<\/code> (command 02000) is really necessary.<\/p>\n