Date: Thu, 04 Mar 2004 17:31:55 -0600 From: Chris Meyers <chris@hddesign.com> To: Free BSD Questions list <freebsd-questions@freebsd.org> Subject: Jail setup Message-ID: <1078443115.662.61.camel@zim.hddesign.com>
next in thread | raw e-mail | index | archive | help
--=-aUGX+ahPR7gFg9HEqU4B Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I need to set up a new mail server at a different building, so I thought I would put sendmail and its services (virus scanning etc.) in a jail to be a bit more secure. I thought that before I do this for real I would try setting up a jail on a test server and see if I can ssh to it and generally get things to work. I can't. Here's what I have set up so far. I found a couple how-tos and I am following them; one is an ONLamp article (http://www.onlamp.com/pub/a/bsd/2003/09/04/jails.html), and the other is the jails section of the AbsoluteBSD book. I am running 5.1. On the server I set up a /usr/jail directory to put the jail into. Then I ran the following from /usr/src/: # make world DESTDIR=3D/usr/jail # cd etc # make distribution DESTDIR=3D/usr/jail # cd /usr/jail/dev # sh MAKEDEV jail This is where I had my first problem, MAKEDEV doesn't exist. At first I was a bit concerned about this, then I remembered that in 5.0 and above MAKEDEV isn't necessary, it is handled by the kernel (If that isn't right someone please tell me). I didn't worry about this. Next I ran: # cd ../ # ln -sf /dev/null kernel Then I started my jail: #jail /usr/jail jail.myhost.com 10.0.0.203 /bin/sh Things seem to be fine. I can see the jailed environment and everything looks fine. I log out and then try to set up the last configuations so I can ssh in and run sendmail. In the non-jail /etc/rc.conf I added the following lines: ifconfig_fxp0_alias0=3D"10.0.0.203 netmask 255.255.255.0" sendmail_enable=3D"NONE" inetd_flags=3D"-wW -a 10.0.0.202" I also added ListenAddress 10.0.0.202 to /etc/ssh/sshd_config.=20 In the jail's /etc/rc.conf (i.e. /usr/jail/etc/rc.conf) I added: portmap_enable=3D"NO" ifconfig_fxp0=3D"inet 10.0.0.203 netmask 255.255.255.0" sendmail_enable=3D"YES" sshd_enable=3D"YES" and added ListenAddress 10.0.0.203 to /usr/jail/etc/ssh/sshd_config I then rebooted to shut all services down. When the system was back up and running I ran the commands to mount and start the jail: # mount -t procfs proc /usr/jail/proc # jail /usr/jail jail.myhost.com 10.0.0.203 /bin/sh /etc/rc Things seem to "boot" fine until it gets to sendmail; it seems to hang there (sshd starts fine though). Eventually sendmail times out and I get a prompt. I figure my jail is running (minus sendmail which I don't care about at the moment), and a ps -ax|grep J shows a few jailed processes running including sshd. From another system I try: % ssh 10.0.0.203 and I get nothing. I can ping 10.0.0.203 just fine (as well as 10.0.0.202). A sockstat -4 shows: root sshd 3041 3 tcp4 10.0.0.203:22 *:* root syslogd 2908 4 udp4 10.0.0.203:514 *:* root sshd 2650 3 tcp4 10.0.0.202:22 *:* so it seems like sshd is listening on 10.0.0.202 and 203. I can ssh to 202 without problem, I just can't get into the jail. Can anybody tell me where I screwed up, or other things to look for. Any help would be appreciated. Thanks, Chris --=-aUGX+ahPR7gFg9HEqU4B Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQBAR7xrO2qgt+6sh1URAnxbAJ9c9aUuIbMACnJtgZz20rQwS5hK1QCbBFtL T1tdaKk2ZP0VyX5/EaQ16Uo= =lFP3 -----END PGP SIGNATURE----- --=-aUGX+ahPR7gFg9HEqU4B--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1078443115.662.61.camel>