From 3270db0d78c87d721af788c61cb069f792d1466a Mon Sep 17 00:00:00 2001 From: Culsu Date: Mon, 30 Nov 2020 22:42:48 +0100 Subject: [PATCH] added ipfw section to the readme --- README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/README.md b/README.md index 912e2b3..9675eff 100644 --- a/README.md +++ b/README.md @@ -372,6 +372,18 @@ The last step is to remove the current running jail, change the version in `etc/ If there's anything wrong you can always go back to the previous version using the above steps. +## Advanced Features +Jaildk also offers some advanced features like automatically setting up and deleting ipfw rules or freezing and thawing a jail (to make it easily portable). +### Using the IPFW +To use the IPFW on your host you first have to enable ipfw in your hosts rc.conf `firewall_enable="YES"`. +You probably want to set the default firewalling-type there aswell, check out the [FreeBSD handbook](https://www.freebsd.org/doc/handbook/firewalls-ipfw.html) for further information. +Once enabled you also need to start ipfw by executing the rc script: `/etc/rc.d/ipfw start`. +Be aware that inter-jail communication is transfered via the loopback interface (normally lo0) for which there is a high priority allow any to any rule by default: `allow ip from any to any via lo` +In order to control the inter-jail communication you have to delete this rule first. + +If an ipfw.conf exists for a jail (e.g. /jail/etc/myjail/ipfw.conf) the rules inside that config file are added when starting, and deleted when stopping the jail. +E.g. allowing HTTP/HTTPS traffic for that jail (webserver): `allow tcp from any to $ip setup keep-state` +As in the above rule demonstrated `$ip` is reserved and automatically replaced with the jails own ip (as reported by `jls`). ## Getting help