# Configuring network interfaces for jails



## przg (Sep 18, 2014)

Hello everyone and thank you for accepting my membership.

I want to be more familiar with *BSD system, initially I've chosen FreeBSD.

I have a small problem with jails, specifically with the network interfaces. I've got two of them in my OS - em0 and lo0. My questions are:
1. Can jails can use lo0, or should I create another interface for them, like lo1?
2. Can more than one jail can use the same interface?

What I want to achieve?
1. Apache + PHP + sftp() in jail1, available from the web (webhosting + FTP accounts),
2. MySQL-server in jail2, available for Apache on localhost only,
3. ZNC's session in jail3 (also with full communication with the outside world).

As I guess, in this case jail1 should have access both to the em0 and loX interfaces, or perhaps just loX (to make traffic filtered by the system's firewall)? The same question applies to jail3.

I have just one IPv4 and IPv6. Here's my ifconfig.

BTW: Does it make sense to jail those services if they will be used just by me? Maybe in this case the separate user:group with nologin for each of them is enough?

I will be grateful for help. Please, don't attack me, I'm still learning - it's my first time with jails 

Greetings,
P.


----------



## wblock@ (Sep 19, 2014)

przg said:
			
		

> 1. Can jails can use lo0, or should I create another interface for them, like lo1?



Jails can use lo0.  However, using lo1 keeps jail traffic off of lo0.



> 2. Can more than one jail can use the same interface?



Yes.  Different jails have different IP addresses.  Please see the Handbook Jails chapter: https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html.  I just added a section on sysutils/ezjail which shows the use of lo1: https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-ezjail.html.



> BTW: Does it make sense to jail those services if they will be used just by me?



Like other security settings, it depends on your situation.  There is additional overhead for jails, mostly in administration, but the improvement in security can be worthwhile.



> I will be grateful for help. Please, don't attack me, I'm still learning - it's my first time with jails



We don't allow attacks here.  Welcome!


----------



## przg (Sep 20, 2014)

Hello!

I'm trying to make a new loopback but it fails - always after rebooting the system my `ifconfig` looks identical to the one from my 1'st post. Here's what I've put into /etc/rc.conf:

```
cloned_interface="lo1"
ifconfig_lo1="inet 10.0.0.254 netmask 255.255.255.0"
ifconfig_lo1_alias0="inet 10.0.0.1 netmask 255.255.255.0"
```

It just won't start. The same created by `ifconfig lo1 create` works fine.

Will be great if someone could help 

Full version of /etc/rc.conf (if it's necessary):
http://wklej.org/id/1468952/

Greetings,
P.


----------



## wblock@ (Sep 20, 2014)

przg said:
			
		

> Here's what I've put into /etc/rc.conf:
> 
> ```
> cloned_interface="lo1"
> ```



That should be interface*s*.  Here is what I have:

```
cloned_interfaces="${cloned_interfaces} lo1"
```


----------



## przg (Sep 26, 2014)

Bump!

Yesterday I've tried to create another jail with ezjail. When trying to start it, I get:

```
ezjailStarting jails:/etc/rc.d/jail: WARNING: /var/run/jail.myjail.conf is created and used for jail zncjail.
/etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables  is obsolete.  Please consider to migrate to /etc/jail.conf.
```

I've checked `man jail.conf` and created this file. In my system I've got two separate jails, so it's:

```
wwwjail {
        host.hostname = "wwwjail";
        path = "/usr/jails/wwwjail";
        ip4.addr += "10.0.0.1/32";
        allow.raw_sockets = 0;
        exec.clean;
        exec.system_user = "root";
        exec.jail_user = "root";
        exec.start += "/bin/sh /etc/rc";
        exec.stop = "";
        exec.consolelog = "/var/log/jail_wwwjail_console.log";
        mount.devfs;
        mount.fstab = "/etc/fstab.wwwjail";
        mount.fdescfs;
        mount +=  "procfs /usr/jails/wwwjail/proc procfs rw 0 0";
        allow.mount;
        allow.set_hostname = 0;
        allow.sysvipc = 0;
}

zncjail {
        host.hostname = "zncjail";
        path = "/usr/jails/zncjail";
        ip4.addr += "10.0.0.3/32";
        allow.raw_sockets = 0;
        exec.clean;
        exec.system_user = "root";
        exec.jail_user = "root";
        exec.start += "/bin/sh /etc/rc";
        exec.stop = "";
        exec.consolelog = "/var/log/jail_zncjail_console.log";
        mount.devfs;
        mount.fstab = "/etc/fstab.zncjail";
        mount.fdescfs;
        mount +=  "procfs /usr/jails/zncjail/proc procfs rw 0 0";
        allow.mount;
        allow.set_hostname = 0;
        allow.sysvipc = 0;
}
```

And of course changed `ezjail_enable="YES"` to `jail_enable="YES"` in /etc/rc.d. Unfortunately, when I'm trying to `service jail start`, it starts only the first jail. The second one is down. 
Is this a bug, or I forgot about something?

Greetings.


----------



## wblock@ (Sep 26, 2014)

ezjail does a bunch of things like null mounts.  It would not surprise me if some of those actions have to be done manually to use a jail created by ezjail without starting it with ezjail.


----------

