get latest base and extract in the path where jail must be located
$ fetch http://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/12.1-RELEASE/base.txz
$ tar -xf base.txz -C /usr/local/jailz/base
create /etc/jail.conf file and add:
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
allow.raw_sockets;
allow.mount.tmpfs;
mount.devfs;
base {
$id = "10";
#assign ip to jail
$ipaddr = "172.16.150.${id}";
$mask = "255.255.255.0";
$gw = "172.16.150.1";
vnet;
vnet.interface = "epair${id}b";
# create epair and bridge interfaces on host for this jail
exec.prestart = "ifconfig epair${id} create up";
exec.prestart += "ifconfig epair${id}a up descr vnet-${name}";
exec.prestart += "ifconfig bridge150 addm epair${id}a up";
# create network interface on jail and add default routing
exec.start = "/sbin/ifconfig lo0 127.0.0.1 up";
exec.start += "/sbin/ifconfig epair${id}b ${ipaddr} netmask ${mask} up";
exec.start += "/sbin/route add default ${gw}";
# add firewall rule for jail
exec.start += "/sbin/ipfw add 1000 allow ip from any to any";
exec.start += "/bin/sh /etc/rc";
# remove created interfaces if jail is removed
exec.poststop = "ifconfig bridge150 deletem epair${id}a";
exec.poststop += "ifconfig epair${id}a destroy";
host.hostname = "${name}.loc";
path = "/usr/local/jailz/${name}";
persist;
}
configure /etc/rc.conf for jail networking.
# create bridge interface
cloned_interfaces="bridge150"
ifconfig_bridge150="inet 172.16.150.1 netmask 0xffffff00 descr jailz-bridge"
# configure firewall with "OPEN" rules
firewall_type="OPEN"
firewall_enable="YES"
#enable NAT
firewall_nat_enable="YES"
configure NAT for jail. Add the following code to /etc/rc.firewall
${fwcmd} nat 1 config if ena0
${fwcmd} add 5000 nat 1 ip from any to any
enable ip forwarding on host
$ sysctl net.inet.ip.forwarding=1
To make it permanent add the following line to /etc/rc.conf
gateway_enable="YES"
Reboot
Start your jail
service jail onestart base
Fix resolv.conf of jail
$ cp /etc/resolv.conf /usr/local/jailz/base/etc/
Enjoy your jail
$ jexec $id
If you want to have access to the services running on jail from host IP, you can use relayd for port forwarding.
install relayd
$ pkg install relayd
Create /usr/local/etc/relayd.conf
Add the following config:
jail="172.16.150.10"
host_port="8080"
jail_service_port="8008"
relay tcpgw {
# Run as a simple TCP relay
listen on 0.0.0.0 port $host_port
# Forward to the shared carp(4) address of an internal gateway
forward to $jail port $jail_service_port
}
Enable relayd service and start it:
$ echo relayd_enable="YES" >> /etc/rc.conf
$ service relayd start
Enjoy!
Useful links:
https://bsd.plumbing/