FreeBSD jails
From Sasara
FreeBSD jails are a process isolation tool on FreeBSD (surprising though it may seem) that extends chroot(8) in wonderful ways.
Essential reading
Basic configuration
/etc/jail.conf
## Don't import host env vars
exec.clean;
## Start/stop jails
exec.start="sh /etc/rc";
exec.stop="sh /etc/rc.shutdown";
## Allow fdescfs and procfs (for services like Plex)
mount.devfs;
allow.mount.fdescfs;
allow.mount.procfs;
## Standard hostnames and locations based on jail name
path="/jail/${name}";
host.hostname="${name}.host.lan";
mount.fstab="/etc/fstab.${name}";
/etc/jail.conf.d/jailname.conf
jailname {
## Example
ip4.addr="10.10.10.1"
## Required for Postgres
allow.sysvipc=1;
## Required by some services
mount.fdescfs;
mount.procfs;
}
Quick and dirty jails with loopback networking
Enable IP forwarding
# sysctl net.inet.ip.forwarding=1
Configure loopback interface
# sysrc cloned_interfaces="lo1" # sysrc ipv4_addrs_lo1="10.10.10.1-9/29"
Configure pf
## pf.conf [...] nat pass on $EXT_IF from $NET_JAIL to any -> $EXT_IP rdr pass on $EXT_IF proto tcp from any to $EXT_IP port $WWW_PORT -> $WWW_JAIL [...]
Better vnet-based networking
#TODO here!
Better IPv6-based networking
#TODO here!
