# best practices for converting system to jails



## soylentgreen (Aug 3, 2009)

I have a system that is currently jail-less, but I would like to implement jails on it.  It has several services running on it previously, and when I create a new jail (using ezjail) it barks about services already running on all IPs, which by default runs on the IP that I have assigned my new jail(s).

Do I need to go back and reconfigure the already running network services to listen only on specific IP addresses?

output at the end of 'ezjail-admin create [jailname] [ip]'

```
Warning: Some services already seem to be listening on IP 192.168.2.70
  This may cause some confusion, here they are:
root     nmbd       816   16 udp4   192.168.2.70:137      *:*
root     nmbd       816   17 udp4   192.168.2.70:138      *:*
Warning: Some services already seem to be listening on all IP, (including 192.168.2.70)
  This may cause some confusion, here they are:
www      httpd      1357  3  tcp46  *:80                  *:*
www      httpd      1357  5  tcp46  *:443                 *:*
www      httpd      1356  3  tcp46  *:80                  *:*
www      httpd      1356  5  tcp46  *:443                 *:*
www      httpd      1355  3  tcp46  *:80                  *:*
www      httpd      1355  5  tcp46  *:443                 *:*
www      httpd      1354  3  tcp46  *:80                  *:*
www      httpd      1354  5  tcp46  *:443                 *:*
www      httpd      1353  3  tcp46  *:80                  *:*
www      httpd      1353  5  tcp46  *:443                 *:*
root     sendmail   1296  3  tcp4   *:25                  *:*
root     sendmail   1296  6  tcp4   *:587                 *:*
root     httpd      1284  3  tcp46  *:80                  *:*
root     httpd      1284  5  tcp46  *:443                 *:*
dovecot  imap-login 1255  4  tcp4   *:993                 *:*
dovecot  imap-login 1254  4  tcp4   *:993                 *:*
dovecot  imap-login 1253  4  tcp4   *:993                 *:*
dovecot  pop3-login 1252  4  tcp4   *:995                 *:*
dovecot  pop3-login 1251  4  tcp4   *:995                 *:*
dovecot  pop3-login 1250  4  tcp4   *:995                 *:*
root     dovecot    1230  5  tcp4   *:993                 *:*
root     dovecot    1230  6  tcp4   *:995                 *:*
root     sshd       915   4  tcp4   *:22                  *:*
mysql    mysqld     910   10 tcp4   *:3306                *:*
root     perl       832   5  tcp4   *:11111               *:*
root     perl       832   6  udp4   *:10000               *:*
root     smbd       822   21 tcp4   *:445                 *:*
root     smbd       822   22 tcp4   *:139                 *:*
root     nmbd       816   7  udp4   *:137                 *:*
root     nmbd       816   8  udp4   *:138                 *:*
root     nfsd       731   3  tcp4   *:2049                *:*
root     mountd     729   7  udp4   *:1021                *:*
root     mountd     729   8  tcp4   *:1021                *:*
root     rpcbind    678   9  udp4   *:111                 *:*
root     rpcbind    678   10 udp4   *:825                 *:*
root     rpcbind    678   11 tcp4   *:111                 *:*
root     syslogd    661   7  udp4   *:514                 *:*
```

I noticed that when I ssh'd to what I thought was my new jail with sshd enabled, I was able to log in with a non-jail account and see the whole file system.

Thanks


----------



## soylentgreen (Aug 3, 2009)

*[solved]*

from a site I found:
http://www.cyberciti.biz/faq/howto-setup-freebsd-jail-with-ezjail/



> WARNING! You need to modify host server daemons to listen to only 127.0.0.1 or a single private or public IP such as 202.54.1.2. At least you need to modify sshd, syslogd and other services before you configure jails.



So I guess that answers my question.

YES.


----------

