# Howto:  quick setup of jail on ZFS using ezjail with PF NAT/



## _martin (Feb 24, 2012)

*July 26, 2014 update:*  different configuration for new `pkg` tool
*Oct 20, 2016 update:*  FreeBSD 11.0 and /etc/jail.conf

Following scenario is presented:


```
/----------- our host --------------\
--{ internet } --- [ 192.0.2.1 ] ---jail--- [ 10.6.6.6 ]
```

where:

em0 is an egress interface (internet facing)
lo666 is a custom  loopback interface (host only)

192.0.2.1 is a public IP address on em0
10.6.6.6 is a jail IP address on lo666

Goal is to create a jail where simple WWW service is running.

*Prerequisites:*


Installed sysutils/ezjail either from ports or from pre-built repository
ZFS pool where jail dataset will be created; pool zpool is used here

*The /etc/rc.conf*
Enable PF, ZFS, ezjail and IP forwarding. Create and configure lo666 interface. Lines in question from /etc/rc.conf:


```
cloned_interfaces="lo666"
ifconfig_lo666_alias0="inet 10.6.6.6 netmask 255.255.255.255"

gateway_enable="YES"

pf_enable="YES"
ezjail_enable="YES"
zfs_enable="YES"
```

Bring the interface up. In 9.0-RELEASE it's enough to do:

`# ifconfig lo666 create`

This creates the interface and assigns the alias from /etc/rc.conf. In case IP address is not up, bring it up manually:

`# ifconfig lo666 alias 10.6.6.6 netmask 255.255.255.255 up`

Enable IP forwarding:
`# sysctl net.inet.ip.forwarding=1`

*Setup PF*
Only the NAT part of the PF is shown here, configuration of PF is not subject of this howto.
/etc/pf.conf:


```
ext_if="em0"
jail_if="lo666"

IP_PUB="192.0.2.1"
IP_JAIL_WWW="10.6.6.6"

NET_JAIL="10.6.6.0/24"

PORT_WWW="{80,443}"

scrub in all

# nat all jail traffic
nat pass on $ext_if from $NET_JAIL to any -> $IP_PUB

# WWW
rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_WWW -> $IP_JAIL_WWW

# demo only, passing all traffic
pass out
pass in
```

Check /etc/pf.conf for any mistakes:

`# pfctl -nf /etc/pf.conf`
If no error is shown, start the firewall.

`# /etc/rc.d/pf start`

Verify the firewall is enabled, check the NAT rules (ALTQ warnings can be safely ignored).

`# pfctl -e`

```
pfctl: pf already enabled
```

`# pfctl -sn`

```
nat pass on em0 inet from 10.6.6.0/24 to any -> 192.0.2.1
rdr pass on em0 inet proto tcp from any to 192.0.2.1 port = http -> 10.6.6.6
rdr pass on em0 inet proto tcp from any to 192.0.2.1 port = https -> 10.6.6.6
```

*Configure ezjail*
By default all jails are stored under /usr/jails directory. However I'll use /local/jails in my setup.

First create a ZFS dataset:

`# zfs create -o mountpoint=/local/jails zpool/jails`
`# chmod 700 /local/jails && chown root:wheel /local/jails`

Main ezjail configuration is stored under /usr/local/etc/ezjail.conf. Uncomment and set at least these parameters:


```
ezjail_jaildir=/local/jails
ezjail_ftphost=ftp.sk.freebsd.org
ezjail_use_zfs="YES"
ezjail_jailzfs="zpool/jails"
```

Use the ftp host closest to you.
There are several options how to install the base. Here I'll just fetch the base from FTP, see the ezjail-admin(8) for details.

`# ezjail-admin install`

Minimum userland - basejail - has been fetched. You can see it on separate dataset:

`# zfs list`

```
zpool                  333M  1.63G    31K  none
zpool/jails            332M  1.63G    47K  /local/jails
zpool/jails/basejail   330M  1.63G   330M  /local/jails/basejail
zpool/jails/newjail   1.70M  1.63G  1.70M  /local/jails/newjail
```

I plan to create more than one jail, I don't want to set all system settings manually for each and every one of them. There's where jail flavor comes in place.
happycamper.local is my domain, I'll use the name happycamper for a flavor.

`# mkdir -p /local/jails/flavours/happycamper/etc/rc.d`
`# cd /local/jails/flavours/happycamper/etc`
`# vi rc.conf`

```
sshd_enable="YES"
syslogd_flags="-ss"
```
`# cp -p /etc/resolv.conf .`
`# cp -p /local/jails/flavours/example/etc/rc.d/ezjail.flavour.example rc.d/ezjail.flavour.happycamper`

Flavors are stored under $jailroot/flavours directory ($jailroot == /local/jails). I've created rc.conf and resolv.conf files - these will be copied to new jail with happycamper flavor.

For the demonstration I want to create custom group, user and install screen package. This is done upon first jail startup by ezjail.flavour script.

In vi editor I have replaced all "example" words by "happycamper". All examples are shown there, easy to understand. In FreeBSD 10 there's a new package management. There are no more pkg_* commands.

Prior to FreeBSD 10 you can use the following flavor config:

```
pw group add users
echo -n '$1$p75bbfK.$Kz3dwkoVlgZrfLZdAXQt91' |\
pw user add martin -g users -G wheel -s /bin/csh -d /home/martin -m -H 0

chown -R martin:users /home/martin

pkg_add -r screen
```

If you are running FreeBSD 10 and later:

```
pw group add users
echo -n '$1$p75bbfK.$Kz3dwkoVlgZrfLZdAXQt91' |\
pw user add martin -g users -G wheel -s /bin/csh -d /home/martin -m -H 0

chown -R martin:users /home/martin
# don't ask - just do
export ASSUME_ALWAYS_YES=YES
pkg bootstrap
pkg install screen
```
Now I'm finally ready to create new jail with a flavor.

`# ezjail-admin create -f happycamper -c zfs www 10.6.6.6`

```
ZFS: create the jail filesystem
/local/jails/www/.
/local/jails/www/./etc
/local/jails/www/./etc/rc.d
/local/jails/www/./etc/rc.d/ezjail.flavour.happycamper
/local/jails/www/./etc/rc.conf
/local/jails/www/./etc/resolv.conf
5 blocks
```

*Start the jail
*
Prior to FreeBSD 11.0 following is sufficient:

`# /usr/local/etc/rc.d/ezjail start www`

```
Configuring jails:.
Starting jails: www.
```

It might take a second or two as the flavor script is executed upon first start; it does remove itself afterward. To check the jail status:

`# jls`

```
JID  IP Address      Hostname                      Path
     2  10.6.6.6        www                           /local/jails/www
```

To access the jail ezjail-admin command can be used:

`# ezjail-admin console www`

Now the apache can be installed and configured, jail itself is ready.

*FreeBSD 11.0*
With 11.0 and, as of writing ezjail-admin v3.4.2, startup of jails with ezjail-admin is no longer possible. It's required to have jails defined in /etc/jail.conf. We can still use ezjail-admin to set them up.  A little bit of manual work is needed here.

You could also have look at Remington's Thread 49561/ for additional information. Reading jail.conf(5) is a good start to get more detailed information.

Our per jail configuration is stored under /usr/local/etc/ezjail/ directory. Each file represents configuration for a certain jail.

Similar to ezjail configuration directory we'll create a new directory where per-jail configuration will be kept. As jail(8) is a command from FreeBSD base we'll use the directory in /etc/, -- /etc/jail. In our example we don't need much, but we do need to mount our userland (basejail).

/etc/jail/fstab.www:

```
/local/jails/basejail   /local/jails/www/basejail         nullfs  0 0
```
/etc/jail.conf configuration:

```
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;

mount.fstab           = "/etc/jail/fstab.${name}";
mount.devfs;
mount.fdescfs;
mount.procfs;

devfs_ruleset         = "4";

path = "/local/jails/$name";

www {
        host.hostname = "www";
        ip4.addr = "10.6.6.6";
}
```
One important change is that the devfs_ruleset is being addressed by number and not by name (as you can find in the ezjail jail configuration).

Last change is to update /etc/rc.conf . We don't want to start ezjail, we need jail(8) instead:

```
# ezjail_enable="YES"   #disabled on FreeBSD 11.0
jail_enable="YES"
```
And finally we can start our jails:
`# /etc/rc.d/jail start`


----------



## gkontos (Feb 25, 2012)

Excellent how-to!


----------



## fred974 (Jan 23, 2014)

*Re: Howto:  quick setup of jail on ZFS using ezjail with PF *

Hi,
This is a fab tutorial!
Just a clarification.. when you create the user/groups, you typed

```
pw user add
pw group add
```
Should it read 

```
pw useradd
pw groupadd
```

I don't know if it is a typo or the way it was ment to be.


----------



## _martin (Feb 16, 2014)

*Re: Howto:  quick setup of jail on ZFS using ezjail with PF *

@fred974 Thanks. It was meant to be `pw user add`. I checked the man page and it indeed says _useradd_. But for years I've been using `pw user add`. 
It's maybe because of what `pw` says:


```
$ pw group
usage:
  pw group [add|del|mod|show|next] [help|switches/values]
$
```
So both commands are OK.


----------



## oxyaxion (Jul 5, 2014)

*Re: Howto:  quick setup of jail on ZFS using ezjail with PF*

Hi,

Thx Thanks for this great tutorial, I have some questions I would like to do something approximately similar but with some particularity. I have some HTTP host and a varnish-proxy.

Internet IP public address <----> Box <----> (192.168.x.x) BSD-Host + PF <----> (10.x.x.x) Jail-Varnish-http-proxy routing -----> www-jails-1 (10.x.x.x) or www-jails-2 (10.x.x.x)  or www-jails-2 (10.x.x.x)

Do you think this configuration is actually possible? 
varnish-http is obsiously routing http request.
I know how to configure varnish but I don't know how to configure PF to this king of configuration.
I'm a little confuse with routing and firewalling configuration.


----------



## _martin (Jul 8, 2014)

*Re: Howto:  quick setup of jail on ZFS using ezjail with PF *

@oxyaxion
Sorry, I don't fully understand your diagram (what's the difference between "box" and "BSD-Host") and don't know where is which service running. 
But think of it this way - service which is needed to be reachable from outside has to be in PF - the very same way this howto is showing how to reach the webserver (if I got your diagram right and FreeBSD has its own public IP).
Depending on your drop rules, you might need to enable traffic from/to jail networks. 

I suggest you start with pass in/pass out rules, add the rdr rule and see if that's working. If yes, you can start with drop rules.


----------



## oxyaxion (Jul 13, 2014)

*Re: Howto:  quick setup of jail on ZFS using ezjail with PF *

Sorry for the bad diagramm, and thanks for your reponse.

The "box" is my Internet compagny ADSL Router, the BSD host is my physical-server.

The BSD host has a private IP in my LAN : 192.168.x.x , and the jails http has 10.x.x.x network.

I know how to setup "simple" NAT with my ADSL Router , IF "HTTP:80 NAT to Varnish-proxy" with a 192.168.x.x IP (with no PF firewalling).

But if i want more firewalling with the BSD PF, ALL the HTTP packets are in destination of the BSD Host and the BSD is doing the NAT ( 192.168.x.x -> varnish-proxy 10.x.x.x and this one dispatch to the good http host)  not the ADSL Router.

In fact i would like to use the PF setting for routing my paquet not my ADSL internet Box


----------



## oxyaxion (Jul 17, 2014)

*Re: Howto:  quick setup of jail on ZFS using ezjail with PF *

I have resolved my IP / Internet jails connection problem with this line in the pf.conf  :beergrin 


```
nat pass on bge0 from lo888:network to any -> (bge0)
```

bge0 is my physical ethernet card.

But now I don't understand why my personnal flavour look like no used in the jail creation .. (user are not created ...).


```
pw groupadd users
echo -n 'passwordofthedeath' |\
pw useradd mathieu -g users -G wheel -s /usr/local/bin/bash -d /home/mathieu -m -H 0
chown -R mathieu:users /home/mathieu
```

I had add user creation like your tutorial ... but :


```
root@cube-box:~ # ezjail-admin create -f jailsource -c zfs test-1 10.8.8.8
/usr/jails/test-1/.
/usr/jails/test-1/./etc
/usr/jails/test-1/./etc/rc.conf
/usr/jails/test-1/./etc/shells
/usr/jails/test-1/./etc/resolv.conf
/usr/jails/test-1/./etc/localtime
/usr/jails/test-1/./etc/ezjail.flavour.jailsource
/usr/jails/test-1/./etc/rc.d
11 blocks
find: /usr/jails/test-1/pkg/: No such file or directory
Warning: Some services already seem to be listening on all IP, (including 10.8.8.8)
  This may cause some confusion, here they are:
root     syslogd    838   6  udp6   *:514                 *:*
root     syslogd    838   7  udp4   *:514                 *:*
```

jailsource is my personnal flavour, with my personnal user : mathieu (I have follow your example for first configuration)

Inside the jail :


```
root@test-1:~ # cat /etc/passwd | grep mathieu
```

Nothing ..  :\ 

By the way pkg_add look like "deprecated" in the FreeBSD 10.0 and jail flavour example seems use it ... 
The probleme is if you want use "pkg" for the first time, the system ask you for migration so you can't write it in the script flavour ... a patch will fix it maybe ?


----------



## _martin (Jul 26, 2014)

*Re: Howto:  quick setup of jail on ZFS using ezjail with PF*

@oxyaxion Hm, that's interesting - there's a mistake in the tutorial now. I can't tell whether it was there from the beginning or maybe something 'got lost' during editing/forums migration. Thanks for pointing that out. 

Flavor has to be in rc.d/ as it is executed upon first jail startup (it does remove itself during its execution). Current step-by-step guide stores it in etc/ which is not correct. 

Yop, FreeBSD 10 does not have `pkg_add` any more. 

I've updated the tutorial to reflect these changes.


----------



## fred974 (Jul 29, 2014)

*Re: Howto:  quick setup of jail on ZFS using ezjail with PF*

Hi @matoatlantis

I am trying to create a jail flavour on FreeBSD 10 but I keep getting the following error message:

```
root@kryten:~ # vi /local/jails/flavours/jailflavor/etc/rc.d/ezjail.flavour.jailflavor
root@FreeBSD:~ # ezjail-admin create -f jailflavor -c zfs testjail 192.168.0.145
/local/jails/testjail/.
/local/jails/testjail/./usr
/local/jails/testjail/./usr/local
/local/jails/testjail/./usr/local/etc
/local/jails/testjail/./usr/local/etc/sudoers
/local/jails/testjail/./etc
/local/jails/testjail/./etc/motd
/local/jails/testjail/./etc/rc.d
/local/jails/testjail/./etc/rc.d/ezjail.flavour.jailflavor
/local/jails/testjail/./etc/resolv.conf
/local/jails/testjail/./etc/syslog.conf
/local/jails/testjail/./etc/periodic.conf
/local/jails/testjail/./etc/rc.conf
15 blocks
find: /local/jails/testjail/pkg/: No such file or directory
```
I don't understand why I get 
	
	



```
'find: /local/jails/testjail/pkg/: No such file or directory'
```

Here is my /jails/flavours/jailflavor/etc/rc.d/ezjail.flavour.jailflavor

```
#!/bin/sh
#
# BEFORE: DAEMON
# PROVIDE: ezjail.jailflavor.config
# ezjail flavour jailflavor
#

. /etc/rc.subr

name=ezjail.flavour.jailflavor
start_cmd=flavour_setup

flavour_setup() {

# Remove traces of ourself
# N.B.: Do NOT rm $0, it points to /etc/rc
##########################
  rm -f "/etc/rc.d/ezjail.flavour.jailflavor"

# Groups
#########
#
pw groupadd -q -n webadmin -g 1001
pw groupadd -q -n dbadmin -g 1002
pw groupadd -q -n mailadmin -g 1003

# Users
########
#
# give root a known password
echo -n '$1$p75bbfK.$Kz3dwkoVlgZrfLZdAXQt91' | pw usermod -n root -H 0
pw usermod root -p 01 01 01

# create webadmin user
echo -n '$1$p75bbfK.$Kz3dwkoVlgZrfLZdAXQt91' |\
pw useradd -n webadmin -u 1001 -c "System Administrator" -g webadmin -G wheel -s /bin/csh -d /home/webadmin -m -H 0
pw usermod webadmin -p 01 01 01

# create dbadmin user
echo -n '$1$p75bbfK.$Kz3dwkoVlgZrfLZdAXQt91' |\
pw useradd -n dbadmin -u 1002 -c "Database Administrator" -g dbadmin -G wheel -s /bin/csh -d /home/dbadmin -m -H 0
pw usermod dbadmin -p 01 01 01

# create mailadmin user
echo -n '$1$p75bbfK.$Kz3dwkoVlgZrfLZdAXQt91' |\
pw useradd -n mailadmin -u 1003 -c "Mail Administrator" -g mailadmin -G wheel -s /bin/csh -d /home/mailadmin -m -H 0
pw usermod mailadmin -p 01 01 01

# Files
########
#
chown -R webadmin:webadmin /home/webadmin
chown -R dbadmin:dbadmin /home/dbadmin
chown -R mailadmin:mailadmin /home/mailadmin

# Postinstall
##############
#
# Create all.log and console.log (chmod all.log, too)
touch /var/log/all.log && chmod 0600 /var/log/all.log
touch /var/log/console.log

# Packages
###########
#
#

export ASSUME_ALWAYS_YES=YES
pkg bootstrap

# install sudo
pkg install sudo

# install vim-lite
pkg instal vim-lite


# Updating The Ports Collection
portsnap fetch extract

# Install Portmaster
make -C /usr/ports/ports-mgmt/portmaster BATCH=yes OPTIONS_FILE_SET="BASH ZSH" install
echo "# Enable PKGNG as new package format"
echo 'WITH_PKGNG="yes"' >> /etc/make.conf
echo "# convert our /var/db/pkg database to the new pkg format"
pkg2ng

# Install TMUX Terminal Multiplexer
make -C /usr/ports/sysutils/tmux BATCH=yes OPTIONS_FILE_SET="BACKSPACE LIBEVENT2" OPTIONS_FILE_UNSET="LIBEVENT_STATIC" install clean

# Install git
make -C /usr/ports/devel/git BATCH=yes OPTIONS_FILE_SET="CONTRIB CURL CVS ETCSHELLS ICONV NLS P4 PERL" OPTIONS_FILE_UNSET="GITWEB GUI HTMLDOCS SVN" install clean

}
run_rc_command "$1"
```

When I `jexec 1 tcsh`, I cal see that all the users and groups has been created and /var/log/console.log was created.
So basically the script doesn't execute any of the following code:

```
# Packages
###########
#
#

export ASSUME_ALWAYS_YES=YES
pkg bootstrap

# install sudo
pkg install sudo

# install vim-lite
pkg instal vim-lite


# Updating The Ports Collection
portsnap fetch extract

# Install Portmaster
make -C /usr/ports/ports-mgmt/portmaster BATCH=yes OPTIONS_FILE_SET="BASH ZSH" install
echo "# Enable PKGNG as new package format"
echo 'WITH_PKGNG="yes"' >> /etc/make.conf
echo "# convert our /var/db/pkg database to the new pkg format"
pkg2ng

# Install TMUX Terminal Multiplexer
make -C /usr/ports/sysutils/tmux BATCH=yes OPTIONS_FILE_SET="BACKSPACE LIBEVENT2" OPTIONS_FILE_UNSET="LIBEVENT_STATIC" install clean

# Install git
make -C /usr/ports/devel/git BATCH=yes OPTIONS_FILE_SET="CONTRIB CURL CVS ETCSHELLS ICONV NLS P4 PERL" OPTIONS_FILE_UNSET="GITWEB GUI HTMLDOCS SVN" install clean
```

When I copy the script to a jail and run it, I have no problem. Could you please help?

Thank you,
Fred


----------



## _martin (Jul 29, 2014)

*Re: Howto:  quick setup of jail on ZFS using ezjail with PF*

Hi Fred, 

Starting from some ezjail version I see that error too. I guess it's a feature that does install the binary packages automatically upon startup from the /pkg directory. 
The following code in ezjail-admin produces the error:


```
781        # if the packages are links and not files we have to copy them now
   782        find "${ezjail_rootdir}/pkg/" -type l -exec cp -r -f {} {}.ezjail \; -exec mv {}.ezjail {} \;
   783
```
You can safely ignore it.

Hard to say why you can't see the packages installed. Do you see the changes in /etc/make.conf you do in that flavor script (do you see WITH_PKGNG in your jail make.conf)? If so I'd suspect the problem in the pkg2ng installation.


----------



## fred974 (Jul 29, 2014)

*Re: Howto:  quick setup of jail on ZFS using ezjail with PF*

Hi @matoatlantis
This my the /etc/make.conf inside the jail that get created

```
WRKDIRPREFIX=           /var/ports
DISTDIR=                /var/ports/distfiles
PACKAGES=               /var/ports/packages
INDEXDIR=               /var/ports
WITH_PKGNG="yes"
```

How do I solve the problem in the pkg2ng installation?
Is the way I wrote the package installation from port correct?

Thank you.


----------



## _martin (Jul 29, 2014)

*Re: Howto:  quick setup of jail on ZFS using ezjail with PF*

I don't know, not from top of my head. But as you know script is being executed (users are created, make.conf gets customized). 

Maybe something gets wrong when pkg2ng is executed ? I'd go with trial-error approach here. Remove all lines after `portsnap` (maybe even including that line). Create the jail and check the output. If all is ok include pkg2ng and do another check - does it break something ? If not continue ..


----------



## fred974 (Jul 30, 2014)

*Re: Howto:  quick setup of jail on ZFS using ezjail with PF *

Thank you @matoatlantis, I'll tinker around and post my finding if I ever work it out


----------



## fred974 (Jul 30, 2014)

*Re: Howto:  quick setup of jail on ZFS using ezjail with PF*

I removed all lines from 
	
	



```
# Updating The Ports Collection
```
 and all the packages did get installed.

Could you advise on how could I run `portsnap fetch extract` in my jailflour so it doesn't need user interaction?


----------



## _martin (Jul 31, 2014)

*Re: Howto:  quick setup of jail on ZFS using ezjail with PF *

Did you check what it asked for (run it manually from jail)? I personally don't use the ports per jail as I consider that waste of space (I'm using mostly shared ports, either via NFS or nullfs mount). 

But back to your problem: check what is/usr/ports in the jail; by default: 


```
# ll /usr/ports
lrwxr-xr-x  1 root  wheel  19 Jul 26 13:30 /usr/ports@ -> /basejail/usr/ports
#
```
Which is the location you can't write by default. You can either tell portsnap to use other location (check the man page) or you could remove the symlink (from host) and create the /usr/ports in jail.


----------



## fred974 (Aug 1, 2014)

*Re: Howto:  quick setup of jail on ZFS using ezjail with PF*

Hi @matoatlantis

Yes run it manually from jail is ok. The only reason why I want each jail to have the port is that because when I update the package using portmaster on the host, I also pick up all the packages installed in the jails and mess things up.

Below is what I normally do to install the jail:

```
ezjail-admin create -f jailflavor -c zfs webjail 192.168.0.145
echo 'ListenAddress 192.168.0.145' >> /local/jails/webjail/etc/ssh/sshd_config
rm -rf /local/jails/webjail/usr/ports
mkdir -p /local/jails/webjail/usr/ports
mount_nullfs -o rw /usr/ports /local/jails/webjail/usr/ports
echo '/usr/ports     /local/jails/webjail/usr/ports  nullfs     rw       0       0' >> /etc/fstab.webjail
/usr/local/etc/rc.d/ezjail start webjail
```
My hope was to create the full webjail by using the jail flavour but *I* guess its not a big deal as I could run the script from inside the jails.


----------



## _martin (Aug 4, 2014)

*Re: Howto:  quick setup of jail on ZFS using ezjail with PF *

If you look into your jail log (/var/log/jail_$JAILNAME_console.log) you'll see why: 

```
portsnap fetch should not be run non-interactively.
Run portsnap cron instead
```

When you look at /usr/sbin/portsnap

```
51	  --interactive -- interactive: override auto-detection of calling process
    52	                  (use this when calling portsnap from an interactive, non-
    53	                  terminal application AND NEVER ELSE).
```
you'll see how to force it. 

I must say this is not the best way to go. You are querying portsnap servers each time you are starting a new jail. That can be awfully a lot. 

To modify the setup you could do: 

*Remove the symlink in newjail setup* (assumption: we're never going to use the basejail link)

```
# cd newjail/usr
# ll ports
lrwxr-xr-x  1 root  wheel  19 Jul 26 13:30 ports@ -> /basejail/usr/ports
# rm ports
```
*Update the flavor config*: 

```
portsnap --interactive fetch extract
```
But I don't recommend to go this way.


----------



## fred974 (Aug 4, 2014)

*Re: Howto:  quick setup of jail on ZFS using ezjail with PF *

Thank you @matoatlantis I am taking all your advises on board


----------



## andrewm659 (Nov 2, 2014)

So I am trying to follow your howto on this, my question is, do I need to use PF for this?  I am doing this on my home network and it will not be forward facing to the Internet. 

I am really just at the point of setting up the virtual interface or cloned_interface and it's not working.


----------



## andrewm659 (Nov 2, 2014)

```
root@FBSD10:~ # cat /etc/rc.conf
hostname="FBSD10.borg.priv"
ifconfig_em0="inet 10.150.1.71 netmask 255.255.255.0"
defaultrouter="10.150.1.1"
sshd_enable="YES"
moused_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
ezjail_enable="YES"
ifconfig_em0_alias0="inet 10.150.1.90 netmask 255.255.255.0 broadcast 10.150.1.255"
jail_enable="YES"
gateway_enable="YES"
zfs_enable="YES"
root@ASM-FBSD10:~ # ifconfig em0_alias0 create
ifconfig: SIOCIFCREATE2: Invalid argument
root@FBSD10:~ #
```


----------



## _martin (Nov 23, 2014)

andrewm659 said:


> So I am trying to follow your howto on this, my question is, do I need to use PF for this?  I am doing this on my home network and it will not be forward facing to the Internet.
> 
> I am really just at the point of setting up the virtual interface or cloned_interface and it's not working.



When using my tutorial here, yes,  you do need to have port redirection (here I use PF). Depending on your setup you may not need to have PF/filtering at all when setting up jails.

The error you showed is due to incorrect ifconfig syntax. create is to be used only when the interface is created. On the fly an alias can be added by `ifconfig em0 alias 10.150.1.90 netmask 255.255.255.0`.


----------



## royskatt (Mar 5, 2016)

Since I don't want to use ZFS, could anyone please tell me the UFS equivalent of


```
zfs create -o mountpoint=/local/jails zpool/jails
chmod 700 /local/jails && chown root:wheel /local/jails
```
 ?

Thank you!


----------



## _martin (Oct 20, 2016)

royskatt said:


> Since I don't want to use ZFS, could anyone please tell me the UFS equivalent of
> 
> 
> ```
> ...


As you said you are using UFS, so you just create directory and set the permissions. 

`mkdir /local/jails && chmod 700 /local/jails && chown root:wheel /local/jails`


----------



## ANx (Dec 31, 2017)

_martin said:


> *FreeBSD 11.0*
> With 11.0 and, as of writing ezjail-admin v3.4.2, startup of jails with ezjail-admin is no longer possible. It's required to have jails defined in /etc/jail.conf. We can still use ezjail-admin to set them up. A little bit of manual work is needed here.



Hi _martin, thank you for this great tutorial. I'm currently using RELEASE-11.1 and successfully followed your tutorial. One thing noted while following this tutorial is that /usr/jails/flavour/etc/rc.d/ezjail.flavour.jailflavor can no longer contain dots on name, I used underscore instead and it worked.

One question related with the above quoted part: ezjail-admin seems to work for both creating and accessing jail console. If you still have patience, please help me understand why I need to take particular actions for 11 and above (being above my assumption).

Happy new year Everyone.

Regards,
ANx


----------



## _martin (Jan 1, 2018)

Hi ANx, 

thanks. I should have a look on the naming convention, it may have changed as you said.

sysutils/ezjail comes from ports and was an effort of Dirk Engling to simplify the management of FreeBSD jails. The port itself is a wrapper script (shell script) around jail(8) command with some additional information stored under few directories. 

In FreeBSD 11 few things changed along with the jail command. It now requires configuration in /etc/jail.conf which ezjail doesn't do. Hence manual creation is needed. 

Running jails behave the same when it comes to their management, that's why you can continue using ezjail for administration.


----------



## hukadan (Feb 16, 2018)

_martin said:


> Enable IP forwarding:
> # sysctl net.inet.ip.forwarding=1


I just discorvered this nice HowTo. Since you use a loopback interface for the jail you do not need this setting IIRC.


----------

