wiki:FreeBSDJail

Version 15 (modified by Rick van der Zwet, 14 years ago) ( diff )

--

Warning: XXX: Work in progress, please do not FOLLOW not yet completed.

This document will describe the setup of jail(8) and how-to configure all applications to work properly within a jail(8). It has the following design criteria/assumptions:

  • file:/usr/ports is shared throughout all installations (so are all the configuration for the ports then) and every system build all ports himself.
  • The sample jail is called pzwet and is located in file:/usr/jail/pzwet and has IP 178.63.108.109 assigned to it.
  • All services dependencies are within their own jail, so I can start and stop jails without affecting the others.
  • My sendmail setup has spam filtering --powered by file:mail/spamass-milter-- support for incoming email only.
  • I do not list all the dependencies to be installed, but only the 'meta' port services I like to have running on the system.

Important: Your jail server should not run any public facing services which does 'wildcard' binding to IP addresses, else it will 'claim' the service before your jail can take it. Tip: Jails does NOT have a local loopback device, so you will need to use UNIX sockets on places you would normally use the loopback address.

First make sure to install the jail using the method in the handbook

pzwet# cat <<EOF >> /etc/rc.conf
#
# Base Services
sshd_enable="YES"
syslogd_flags="-ss"

sendmail_enable="YES"

# saving entropy bits is not useful within jails, as your host will do handle this.
entropy_dir="NO" 
# Get some jitter in your cron runs to make sure the does not all run at time same time. 
# Do NOT use if you rely on having your process to start at 'exact' that time.
cron_flags="-J10"

#
# Port Services
spamass_milter_enable="YES"
spamass_milter_localflags="-i 178.63.108.109,0.0.0.0 -r -1 -- -U /var/run/spamd.sock"

spamd_enable="YES"
spamd_flags="--socketpath=/var/run/spamd.sock --nouser-config --username=nobody"

EOF

pzwet# make -C /usr/ports/security/sudo WITH_INSULTS=yes BATCH=yes install clean pzwet# make -C /usr/ports/devel/subversion WITH_MOD_DAV_SVN=yes APACHE_VERSION=22 BATCH=yes install clean pzwet# make -C /usr/ports/ports-mgmt/portaudit BATCH=yes install clean; /usr/local/sbin/portaudit -Fda pzwet# make -C /usr/ports/editors/vim-lite BATCH=yes install clean pzwet# make -C /usr/ports/mail/spamass-milter BATCH=yes install clean pzwet# make -C /usr/ports/sysutils/screen BATCH=yes install clean

Update port INDEX tree and report on pending upgrades every Saturday: pzwet# echo '0 3 * * sat root /usr/sbin/portsnap -I cron update && /usr/sbin/pkg_version -vIL=' >> /etc/crontab

Note: See TracWiki for help on using the wiki.