Jail setup
Chris Meyers
chris at hddesign.com
Thu Mar 4 15:31:59 PST 2004
I need to set up a new mail server at a different building, so I thought
I would put sendmail and its services (virus scanning etc.) in a jail to
be a bit more secure. I thought that before I do this for real I would
try setting up a jail on a test server and see if I can ssh to it and
generally get things to work. I can't.
Here's what I have set up so far. I found a couple how-tos and I am
following them; one is an ONLamp article
(http://www.onlamp.com/pub/a/bsd/2003/09/04/jails.html), and the other
is the jails section of the AbsoluteBSD book. I am running 5.1.
On the server I set up a /usr/jail directory to put the jail into. Then
I ran the following from /usr/src/:
# make world DESTDIR=/usr/jail
# cd etc
# make distribution DESTDIR=/usr/jail
# cd /usr/jail/dev
# sh MAKEDEV jail
This is where I had my first problem, MAKEDEV doesn't exist. At first I
was a bit concerned about this, then I remembered that in 5.0 and above
MAKEDEV isn't necessary, it is handled by the kernel (If that isn't
right someone please tell me). I didn't worry about this.
Next I ran:
# cd ../
# ln -sf /dev/null kernel
Then I started my jail:
#jail /usr/jail jail.myhost.com 10.0.0.203 /bin/sh
Things seem to be fine. I can see the jailed environment and everything
looks fine. I log out and then try to set up the last configuations so I
can ssh in and run sendmail. In the non-jail /etc/rc.conf I added the
following lines:
ifconfig_fxp0_alias0="10.0.0.203 netmask 255.255.255.0"
sendmail_enable="NONE"
inetd_flags="-wW -a 10.0.0.202"
I also added ListenAddress 10.0.0.202 to /etc/ssh/sshd_config.
In the jail's /etc/rc.conf (i.e. /usr/jail/etc/rc.conf) I added:
portmap_enable="NO"
ifconfig_fxp0="inet 10.0.0.203 netmask 255.255.255.0"
sendmail_enable="YES"
sshd_enable="YES"
and added ListenAddress 10.0.0.203 to /usr/jail/etc/ssh/sshd_config
I then rebooted to shut all services down. When the system was back up
and running I ran the commands to mount and start the jail:
# mount -t procfs proc /usr/jail/proc
# jail /usr/jail jail.myhost.com 10.0.0.203 /bin/sh /etc/rc
Things seem to "boot" fine until it gets to sendmail; it seems to hang
there (sshd starts fine though). Eventually sendmail times out and I get
a prompt. I figure my jail is running (minus sendmail which I don't care
about at the moment), and a ps -ax|grep J shows a few jailed processes
running including sshd. From another system I try:
% ssh 10.0.0.203
and I get nothing. I can ping 10.0.0.203 just fine (as well as
10.0.0.202). A sockstat -4 shows:
root sshd 3041 3 tcp4 10.0.0.203:22 *:*
root syslogd 2908 4 udp4 10.0.0.203:514 *:*
root sshd 2650 3 tcp4 10.0.0.202:22 *:*
so it seems like sshd is listening on 10.0.0.202 and 203. I can ssh to
202 without problem, I just can't get into the jail.
Can anybody tell me where I screwed up, or other things to look for. Any
help would be appreciated.
Thanks,
Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040304/98757d33/attachment.bin
More information about the freebsd-questions
mailing list