FreeBSD jails the easy way

Jails are a nice easy way to isolate processes in FreeBSD. A jail makes it possible to run services in a virtual system keeping them from interacting with the host system. More in depth information can be found here .

Most if not all of the tutorials I have found have you recompile the system into a new directory like the section6 wiki. This just seems overly complicated and hard to do especially if you are in a pinch for time. Getting ready for a security competition my partner Sean Jordan introduced me to the sysinstall method of making jails.

When making partitions I like to create a /jail partition to give the jails their own partition. I suggest making it at least 2 gigs for each jail. Also remember all the files used by the users / services in the jail need to be on that partition so size it accordingly. Each jail needs it's own ip address, for my set up I am behind a router running nat using the subnet 172.16.67.0/24.

Once FreeBSD is installed start making the needed directories.

1. mkdir /jail/master
2. mkdir /jail/master/usr/
3. cp -R /bin/ /jail/master/bin
4. cp -R /etc/ /jail/master/etc
5. cp -R /lib/ /jail/master/lib
6. cp -R /libexec/ /jail/master/libexec
7. cp -R /sbin/ /jail/master/sbin
8. cp -R /usr/share /jail/master/usr/share
9. cp -R /usr/bin /jail/master/usr/bin
10. cp -R /usr/sbin /jail/master/usr/sbin
11. cp -R /usr/lib /jail/master/usr/lib

Once you have all the need directories chroot your self into /jail/master and run sysinstall

1. chroot /jail/master /bin/csh
2. /usr/sbin/sysinstall

Once you are in choose

1. Configure
2. Distributions
3. base
4. (use ftp for media source)
5. exit sysinstall

When you have the whole base distributions exit the chroot

1. exit

For demonstration purposes I'll create 2 jails ssh and dns

1. cp -R /jail/master/ /jail/ssh
2. cp -R /jail/master/ /jail/dns

After the directories are made edit /etc/rc.conf

1. vi /etc/rc.conf

Add the following lines

1. ifconfig_lnc0_alias0="172.16.67.47 netmask 255.255.255.0" #Add alias for your network
   
2. ifconfig_lnc0_alias1="172.16.67.48 netmask 255.255.255.0" #Add alias for your network
3. jail_enable="YES" # Set to NO to disable starting of any jails
4. jail_list="ssh dns" # Space separated list of names of jails
5. jail_set_hostname_allow="NO" # Allow root user in a jail to change its hostname
6. jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail
7. jail_ssh_rootdir="/jail/ssh"
8. jail_ssh_hostname="ssh.bsd.local"
9. jail_ssh_ip="172.16.67.47"
10. jail_ssh_exec_start="/bin/sh /etc/rc"
11. jail_ssh_devfs_enable="YES"
12. jail_ssh_devfs_ruleset="devfsrules_jail"
13. jail_dns_rootdir="/jail/dns"
14. jail_dns_hostname="dns.bsd.local"
15. jail_dns_ip="172.16.67.48"
16. jail_dns_exec_start="/bin/sh /etc/rc"
17. jail_dns_devfs_enable="YES"
18. jail_dns_devfs_ruleset="devfsrules_jail"

Once the file is saved start the jails and setup the nic

1. sh /etc/rc

Check to see that the jails are running by using jls

• JID IP Address Hostname Path
• 2 172.16.67.48 dns.bsd.local /jail/dns
• 1 172.16.67.47 ssh.bsd.local /jail/ssh

Check to see if the interface is listening on the correct ip address by running ifconfig

• lnc0: flags=108843 mtu 1500
• inet6 fe80::20c:29ff:fe3c:1ce8%lnc0 prefixlen 64 scopeid 0x1
• inet 172.16.67.46 netmask 0xffffff00 broadcast 172.16.67.255
• inet172.16.67.47 netmask 0xffffff00 broadcast 172.16.67.255
• inet 172.16.67.48 netmask 0xffffff00 broadcast 172.16.67.255

To enter a jail use jexec

1. jexec 1 /usr/local/bin/bash

Stopping jails can be done in two ways /etc/rc.d/jail or pkill.
To stop all running jails run

1. /etc/rc.d/jail stop

To stop just 1 jail run

1. pkill -j JID
   

Once you are in the jail you can do what ever you would do on a normal system. If you want to use icmp within the set security.jail.allow_raw_sockets to 1 in /etc/sysctl.conf

1. security.jail.allow_raw_sockets=1

On a final note there are no users within the jail yet and the root user has no password so be sure to set one using the passwd command.