Date: Fri, 5 Mar 2004 07:57:51 +0100 From: Harald Schmalzbauer <h@schmalzbauer.de> To: freebsd-questions@freebsd.org, chris@hddesign.com Subject: Re: Jail setup Message-ID: <200403050757.56345.h@schmalzbauer.de> In-Reply-To: <1078443115.662.61.camel@zim.hddesign.com> References: <1078443115.662.61.camel@zim.hddesign.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Boundary-02=_0TCSAozsmvWysAc Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Am Freitag, 5. M=E4rz 2004 00:31 schrieb Chris Meyers: > I need to set up a new mail server at a different building, so I thought > I would put sendmail and its services (virus scanning etc.) in a jail to > be a bit more secure. I thought that before I do this for real I would > try setting up a jail on a test server and see if I can ssh to it and > generally get things to work. I can't. > > Here's what I have set up so far. I found a couple how-tos and I am > following them; one is an ONLamp article > (http://www.onlamp.com/pub/a/bsd/2003/09/04/jails.html), and the other > is the jails section of the AbsoluteBSD book. I am running 5.1. > > On the server I set up a /usr/jail directory to put the jail into. Then > I ran the following from /usr/src/: > > # make world DESTDIR=3D/usr/jail > # cd etc > # make distribution DESTDIR=3D/usr/jail > # cd /usr/jail/dev > # sh MAKEDEV jail > > This is where I had my first problem, MAKEDEV doesn't exist. At first I > was a bit concerned about this, then I remembered that in 5.0 and above > MAKEDEV isn't necessary, it is handled by the kernel (If that isn't > right someone please tell me). I didn't worry about this. > > Next I ran: > # cd ../ > # ln -sf /dev/null kernel > > Then I started my jail: > #jail /usr/jail jail.myhost.com 10.0.0.203 /bin/sh > > Things seem to be fine. I can see the jailed environment and everything > looks fine. I log out and then try to set up the last configuations so I > can ssh in and run sendmail. In the non-jail /etc/rc.conf I added the > following lines: > > ifconfig_fxp0_alias0=3D"10.0.0.203 netmask 255.255.255.0" This is wrong. The jail can only have one IP so netmask has to be 0xfffffff= f=20 (255.255.255.255) Do you have something like this on the host? fconfig_fxp0=3D"inet 10.0.0.202 netmask 0xffffff00" #host ifconfig_fxp_alias0=3D"inet 10.0.0.203 netmask 0xffffffff" #jail 1=20 > sendmail_enable=3D"NONE" > inetd_flags=3D"-wW -a 10.0.0.202" > > I also added ListenAddress 10.0.0.202 to /etc/ssh/sshd_config. > > In the jail's /etc/rc.conf (i.e. /usr/jail/etc/rc.conf) I added: > > portmap_enable=3D"NO" > ifconfig_fxp0=3D"inet 10.0.0.203 netmask 255.255.255.0" > sendmail_enable=3D"YES" > sshd_enable=3D"YES" > > and added ListenAddress 10.0.0.203 to /usr/jail/etc/ssh/sshd_config This isn't neccessary, since the jail has only that one IP. IT's important that the host is limited to one address like you wrote a few= =20 lines above! Change the IP like I wrote above and everything should be fine. =2DHarry > > I then rebooted to shut all services down. When the system was back up > and running I ran the commands to mount and start the jail: > > # mount -t procfs proc /usr/jail/proc > # jail /usr/jail jail.myhost.com 10.0.0.203 /bin/sh /etc/rc > > Things seem to "boot" fine until it gets to sendmail; it seems to hang > there (sshd starts fine though). Eventually sendmail times out and I get > a prompt. I figure my jail is running (minus sendmail which I don't care > about at the moment), and a ps -ax|grep J shows a few jailed processes > running including sshd. From another system I try: > % ssh 10.0.0.203 > and I get nothing. I can ping 10.0.0.203 just fine (as well as > 10.0.0.202). A sockstat -4 shows: > root sshd 3041 3 tcp4 10.0.0.203:22 *:* > root syslogd 2908 4 udp4 10.0.0.203:514 *:* > root sshd 2650 3 tcp4 10.0.0.202:22 *:* > > so it seems like sshd is listening on 10.0.0.202 and 203. I can ssh to > 202 without problem, I just can't get into the jail. > > Can anybody tell me where I screwed up, or other things to look for. Any > help would be appreciated. > > Thanks, > Chris --Boundary-02=_0TCSAozsmvWysAc Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBASCT0Bylq0S4AzzwRAlQPAJ9/030hxQt5XmQguxmRPY6xIytD4wCeK61V fvbYz0PsrGqpxWF5HiH1WsU= =b12V -----END PGP SIGNATURE----- --Boundary-02=_0TCSAozsmvWysAc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200403050757.56345.h>