Jail setup

Chris Meyers chris at hddesign.com
Thu Mar 4 15:31:59 PST 2004 

I need to set up a new mail server at a different building, so I thought
I would put sendmail and its services (virus scanning etc.) in a jail to
be a bit more secure. I thought that before I do this for real I would
try setting up a jail on a test server and see if I can ssh to it and
generally get things to work. I can't.

Here's what I have set up so far. I found a couple how-tos and I am
following them; one is an ONLamp article
(http://www.onlamp.com/pub/a/bsd/2003/09/04/jails.html), and the other
is the jails section of the AbsoluteBSD book. I am running 5.1.

On the server I set up a /usr/jail directory to put the jail into. Then
I ran the following from /usr/src/:

# make world DESTDIR=/usr/jail
# cd etc
# make distribution DESTDIR=/usr/jail
# cd /usr/jail/dev
# sh MAKEDEV jail

This is where I had my first problem, MAKEDEV doesn't exist. At first I
was a bit concerned about this, then I remembered that in 5.0 and above
MAKEDEV isn't necessary, it is handled by the kernel (If that isn't
right someone please tell me). I didn't worry about this.

Next I ran:
# cd ../
# ln -sf /dev/null kernel

Then I started my jail:
#jail /usr/jail jail.myhost.com 10.0.0.203 /bin/sh

Things seem to be fine. I can see the jailed environment and everything
looks fine. I log out and then try to set up the last configuations so I
can ssh in and run sendmail. In the non-jail /etc/rc.conf I added the
following lines:

ifconfig_fxp0_alias0="10.0.0.203 netmask 255.255.255.0"
sendmail_enable="NONE"
inetd_flags="-wW -a 10.0.0.202"

I also added ListenAddress 10.0.0.202 to /etc/ssh/sshd_config. 

In the jail's /etc/rc.conf (i.e. /usr/jail/etc/rc.conf) I added:

portmap_enable="NO"
ifconfig_fxp0="inet 10.0.0.203 netmask 255.255.255.0"
sendmail_enable="YES"
sshd_enable="YES"

and added ListenAddress 10.0.0.203 to /usr/jail/etc/ssh/sshd_config

I then rebooted to shut all services down. When the system was back up
and running I ran the commands to mount and start the jail:

# mount -t procfs proc /usr/jail/proc
# jail /usr/jail jail.myhost.com 10.0.0.203 /bin/sh /etc/rc

Things seem to "boot" fine until it gets to sendmail; it seems to hang
there (sshd starts fine though). Eventually sendmail times out and I get
a prompt. I figure my jail is running (minus sendmail which I don't care
about at the moment), and a ps -ax|grep J shows a few jailed processes
running including sshd. From another system I try:
% ssh 10.0.0.203
and I get nothing. I can ping 10.0.0.203 just fine (as well as
10.0.0.202). A sockstat -4 shows:
root     sshd       3041  3  tcp4   10.0.0.203:22         *:*
root     syslogd    2908  4  udp4   10.0.0.203:514        *:*
root     sshd       2650  3  tcp4   10.0.0.202:22         *:*

so it seems like sshd is listening on 10.0.0.202 and 203. I can ssh to
202 without problem, I just can't get into the jail.

Can anybody tell me where I screwed up, or other things to look for. Any
help would be appreciated.

Thanks,
Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040304/98757d33/attachment.bin

More information about the freebsd-questions mailing list