Jail with DHCP
30 views
Skip to first unread message
Lars Kotthoff
Dec 19, 2024, 11:23:36 AM12/19/24
to HardenedBSD Users
Hi all,
I'm trying to set up a jail with network interface bridged to the host and DHCP (from a different host). I've been somewhat successful in that it works, but it feels like I'm missing something and would like to double-check.
I've defined the jail as a VNET jail and am using jib to set up the bridged interface. All of that works as expected, but the jail doesn't source /etc/rc.firewall on startup, i.e. the default firewall is applied (instead of the configured WORKSTATION in /etc/rc.conf in the jail) and no network traffic is possible. DHCP inside the jail also fails.
My workaround is to explicitly source rc.firewall and run DHCP in the jail config file, but it feels like this is is a hack and I'm missing some configuration somewhere. Any advice?
Here's the jail config on the host:
XXX {
exec.prestart += "jib addm XXX igc0";
exec.start = "dhclient e0b_XXX";
exec.start += "/bin/sh /etc/rc.firewall";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.poststop += "jib destroy XXX";
host.hostname = "XXX";
path = "/jails/XXX";
exec.clean;
vnet;
vnet.interface = "e0b_XXX";
devfs_ruleset = 11;
mount.devfs;
allow.raw_sockets = 1;
allow.sysvipc = 1;
}
exec.prestart += "jib addm XXX igc0";
exec.start = "dhclient e0b_XXX";
exec.start += "/bin/sh /etc/rc.firewall";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.poststop += "jib destroy XXX";
host.hostname = "XXX";
path = "/jails/XXX";
exec.clean;
vnet;
vnet.interface = "e0b_XXX";
devfs_ruleset = 11;
mount.devfs;
allow.raw_sockets = 1;
allow.sysvipc = 1;
}
/etc/rc.conf in the jail:
clear_tmp_enable="YES"
firewall_enable="YES"
firewall_type="WORKSTATION"
firewall_myservices="something"
firewall_allowservices="something else"
firewall_quiet="YES"
firewall_logdeny="YES"
hostname="XXX"
ifconfig_e0b_XXX="DHCP"
ifconfig_e0b_XXX_ipv6="inet6 accept_rtadv"
sshd_enable="YES"
firewall_enable="YES"
firewall_type="WORKSTATION"
firewall_myservices="something"
firewall_allowservices="something else"
firewall_quiet="YES"
firewall_logdeny="YES"
hostname="XXX"
ifconfig_e0b_XXX="DHCP"
ifconfig_e0b_XXX_ipv6="inet6 accept_rtadv"
sshd_enable="YES"
Without the exec.start lines that run dhclient and source /etc/rc.firewall in the jail config, the jail starts, but has no IP address and all network traffic is blocked.
Thanks,
Lars
Shawn Webb
Dec 19, 2024, 1:36:13 PM12/19/24
to Lars Kotthoff, HardenedBSD Users
Have you looked into using epair(4) devices? Those are what you would
likely want to use for vnet jails. You would add the epairNa device to
the bridge, and assign the epairNb device to the jail.
For DHCP, you would also need to expose /dev/bpf to the jail. I
suspect you're already doing this due to your custom devfs ruleset
configuration line in your jail.conf.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Lars Kotthoff
Dec 19, 2024, 1:42:13 PM12/19/24
to HardenedBSD Users, Shawn Webb, HardenedBSD Users, Lars Kotthoff
Thanks Shawn -- how would I set that up? Can I do this with jib?
Thanks,
Lars
Shawn Webb
Dec 19, 2024, 1:47:01 PM12/19/24
to Lars Kotthoff, HardenedBSD Users
I've never heard of jib before. There's no real need to use that. But
this is what my jail.conf looked like for some time on my laptop:
==== BEGIN jail.conf ====
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;
exec.prestart += "/sbin/ifconfig $epair create; ifconfig bridge1 addm ${epair}a";
exec.poststart += "/sbin/ifconfig ${epair}b vnet $name; /sbin/ifconfig ${epair}a up";
exec.poststart += "/usr/sbin/jexec $name /bin/sh /etc/rc";
exec.poststop += "/sbin/ifconfig ${epair}a destroy";
path = "/jails/$name";
host.hostname = "$name";
mutt-hbsd {
path = "/usr/jails/$name";
$epair = "epair0";
persist;
vnet;
}
mutt-gmail {
path = "/usr/jails/$name";
$epair = "epair1";
persist;
vnet;
}
==== END jail.conf ====
And then, the rc.conf file in the jail:
==== BEGIN jail's rc.conf ====
hostname="mutt-hbsd"
ifconfig_epair0b="inet 192.168.30.2 netmask 255.255.255.0"
==== END jail's rc.conf ====
Hopefully that helps.
> > Tor-ified Signal: +1 303-901-1600 <(303)%20901-1600> / shawn_webb_opsec.50
> >
> > https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
this is what my jail.conf looked like for some time on my laptop:
==== BEGIN jail.conf ====
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;
exec.prestart += "/sbin/ifconfig $epair create; ifconfig bridge1 addm ${epair}a";
exec.poststart += "/sbin/ifconfig ${epair}b vnet $name; /sbin/ifconfig ${epair}a up";
exec.poststart += "/usr/sbin/jexec $name /bin/sh /etc/rc";
exec.poststop += "/sbin/ifconfig ${epair}a destroy";
path = "/jails/$name";
host.hostname = "$name";
mutt-hbsd {
path = "/usr/jails/$name";
$epair = "epair0";
persist;
vnet;
}
mutt-gmail {
path = "/usr/jails/$name";
$epair = "epair1";
persist;
vnet;
}
==== END jail.conf ====
And then, the rc.conf file in the jail:
==== BEGIN jail's rc.conf ====
hostname="mutt-hbsd"
ifconfig_epair0b="inet 192.168.30.2 netmask 255.255.255.0"
==== END jail's rc.conf ====
Hopefully that helps.
> >
> > https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
Lars Kotthoff
Dec 19, 2024, 2:09:48 PM12/19/24
to HardenedBSD Users, Shawn Webb, HardenedBSD Users, Lars Kotthoff
Thanks, tried that, but dhclient is still not run and /etc/rc.firewall is not sourced...
Thanks,
Lars
Reply all
Reply to author
Forward
0 new messages