diff --git a/README.md b/README.md index 1938543..8a4da3a 100644 --- a/README.md +++ b/README.md @@ -373,17 +373,51 @@ The last step is to remove the current running jail, change the version in `etc/ If there's anything wrong you can always go back to the previous version using the above steps. ## Advanced Features -Jaildk also offers some advanced features like automatically setting up and deleting ipfw rules or freezing and thawing a jail (to make it easily portable). -### Using the IPFW -To use the IPFW on your host you first have to enable ipfw in your hosts rc.conf `firewall_enable="YES"`. -You probably want to set the default firewalling-type there aswell, check out the [FreeBSD handbook](https://www.freebsd.org/doc/handbook/firewalls-ipfw.html) for further information. -Once enabled you also need to start ipfw by executing the rc script: `/etc/rc.d/ipfw start`. -Be aware that inter-jail communication is transfered via the loopback interface (normally lo0) for which there is a high priority allow any to any rule by default: `allow ip from any to any via lo` -In order to control the inter-jail communication you have to delete this rule first. -If an ipfw.conf exists for a jail (e.g. /jail/etc/myjail/ipfw.conf) the rules inside that config file are added when starting, and deleted when stopping the jail. -E.g. allowing HTTP/HTTPS traffic for that jail (webserver): `allow tcp from any to $ip setup keep-state` -As demonstrated in the previous rule `$ip` is reserved and automatically replaced with the jails own ip (as reported by `jls`). +Jaildk also offers some advanced features like automatically setting +up and deleting ipfw rules or freezing and thawing a jail (to make it +easily portable). + +### Using the IPFW + +To use the IPFW on your host you first have to enable ipfw in your +hosts rc.conf `firewall_enable="YES"`. You probably want to set the +default firewalling-type there aswell, check out the +[FreeBSD handbook](https://www.freebsd.org/doc/handbook/firewalls-ipfw.html) +for further information. + +Once enabled you also need to start ipfw by executing the rc script: + +`/etc/rc.d/ipfw start`. + +Be aware that inter-jail communication is transfered via the loopback +interface (normally lo0) for which there is a high priority allow any +to any rule by default: + +`allow ip from any to any via lo` + +In order to control the inter-jail communication you have to delete +this rule first. + +If an ipfw.conf exists for a jail (e.g. /jail/etc/myjail/ipfw.conf) +the rules inside that config file are added when starting, and deleted +when stopping the jail. E.g. allowing HTTP/HTTPS traffic for that +jail (webserver): + +`allow tcp from any to $ip setup keep-state` + +As demonstrated in the previous rule `$ip` is reserved and +automatically replaced with the jails own ip (as reported by +`jls`). The same applies to the ipv6 address which will be available +as variable `$ip6`. Also, all variables in the jails `jail.conf` can +be used. + +In order to make these ipfw rules available on boot, you need to add +the following line to `/etc/jail.conf` in the section of the jail +which uses custom ipfw rules: + +`exec.prestart = "/jail/bin/jaildk ipfw $name"` + ## Getting help diff --git a/jaildk b/jaildk index f30cb85..0939ca8 100755 --- a/jaildk +++ b/jaildk @@ -29,6 +29,7 @@ stop - stop a jail restart - restart a jail status [] - display a jail's status rc [-r ] - execute an rc-script inside a jail +ipfw - add or remove ipfw rules ${beg}Managing Jails:${end} login [] - login into a jail @@ -380,6 +381,8 @@ jaildk_rc_mount() { done } + + usage_install() { fin "Usage: $0 install [] [-r rc-function] Install according to its config. Options: @@ -1169,7 +1172,6 @@ home/$name/root-$version $name/root nullfs rw' > touch $j/etc/.template/ipfw.conf bold "creating template config $j/etc/.template/mtree.conf" -# touch $j/etc/.template/mtree.conf echo '/set type=dir uid=0 gid=0 mode=01777 . type=dir mode=0755 tmp @@ -1466,10 +1468,24 @@ jaildk_thaw() { bold "Done. Thawed jail $jail $version from $image." } +usage_ipfw() { + echo "Usage: $0 ipfw +[Un]install ipfw rules. can be start or stop. +The jail needs to have a ipfw.conf file, containing +ipfw rules. You can use variables like \$ip and \$ip6 +and you need to omit the 'ipfw add' of the command." + exit 1 +} + jaildk_ipfw() { jail=$1 mode=$2 - if [ -f "$j/etc/$jail/ipfw.conf" ]; then + + if test -z "$mode"; then + usage_ipfw + fi + + if test -f "$j/etc/$jail/ipfw.conf"; then echo bold "Managing IPFW Rules..." case $mode in @@ -1488,11 +1504,24 @@ jaildk_ipfw() { jaildk_ipfw_add() { jail=$1 + + # support jail variables as well + load-jail-config $jail + # Getting current jails IP.. - jailip=$(jls | grep -E "$jail\$" | awk '{print $2}') + ip=`jls -n -j $jail ip4.addr | cut -d= -f2` + if test -z "$ip"; then + die "Jail $jail doesn't have an ipv4 address!" + fi + + ip6=`jls -n -j $jail ip6.addr | cut -d= -f2` # optional, no checks + # Adding rules - cat $j/etc/$jail/ipfw.conf | awk -v jailname="$jail" '{print "ipfw add "$0" // " jailname}' | sed -E "s/\\\$ip/$jailip/g" | while read rule; do $rule; done - + egrep "^[a-z]" $j/etc/$jail/ipfw.conf | while read LINE; do + rule=$(eval echo "ipfw add $LINE // $jail") + echo $rule + $rule + done } jaildk_ipfw_delete() { @@ -1529,7 +1558,7 @@ case $runner in start|stop|status|restart) jaildk_jail $runner $* ;; - setup|reinstall|install|uninstall|build|blogin|login|clone|create|remove|rc|base|fetch|freeze|thaw) + setup|reinstall|install|uninstall|build|blogin|login|clone|create|remove|rc|base|fetch|freeze|thaw|ipfw) jaildk_$runner $* ;; help)