various modifications to pull request #10:

- re-fill paragraphs in README - added section about booting ipfw rules - added way to execute ipfw function from commandline (required for booting) - enhanced ipfw.conf parser - enhanced ip address parsing - added v6 support - added jail.conf variable support
2025-12-18 13:11:02 +01:00 · 2020-12-01 18:40:32 +01:00
parent cc30589b1f
commit 615939bccd
2 changed files with 79 additions and 16 deletions
--- a/README.md
+++ b/README.md
@@ -373,17 +373,51 @@ The last step is to remove the current running jail, change the version in `etc/
 If there's anything wrong you can always go back to the previous version using the above steps.

 ## Advanced Features
-Jaildk also offers some advanced features like automatically setting up and deleting ipfw rules or freezing and thawing a jail (to make it easily portable).
-### Using the IPFW
-To use the IPFW on your host you first have to enable ipfw in your hosts rc.conf `firewall_enable="YES"`.
-You probably want to set the default firewalling-type there aswell, check out the [FreeBSD handbook](https://www.freebsd.org/doc/handbook/firewalls-ipfw.html) for further information. 
-Once enabled you also need to start ipfw by executing the rc script: `/etc/rc.d/ipfw start`.
-Be aware that inter-jail communication is transfered via the loopback interface (normally lo0) for which there is a high priority allow any to any rule by default: `allow ip from any to any via lo`
-In order to control the inter-jail communication you have to delete this rule first.

-If an ipfw.conf exists for a jail (e.g. /jail/etc/myjail/ipfw.conf) the rules inside that config file are added when starting, and deleted when stopping the jail.
-E.g. allowing HTTP/HTTPS traffic for that jail (webserver): `allow tcp from any to $ip setup keep-state`
-As demonstrated in the previous rule `$ip` is reserved and automatically replaced with the jails own ip (as reported by `jls`).
+Jaildk also  offers some advanced features  like automatically setting
+up and deleting ipfw rules or freezing  and thawing a jail (to make it
+easily portable).
+
+### Using the IPFW
+
+To use  the IPFW on your  host you first  have to enable ipfw  in your
+hosts rc.conf  `firewall_enable="YES"`.  You probably want  to set the
+default    firewalling-type    there    aswell,    check    out    the
+[FreeBSD handbook](https://www.freebsd.org/doc/handbook/firewalls-ipfw.html)
+for further information.
+
+Once enabled you also need to start ipfw by executing the rc script:
+
+`/etc/rc.d/ipfw start`.
+
+Be aware that inter-jail communication  is transfered via the loopback
+interface (normally lo0) for which there  is a high priority allow any
+to any rule by default:
+
+`allow ip from any to any via lo`
+
+In order  to control the  inter-jail communication you have  to delete
+this rule first.
+
+If an  ipfw.conf exists  for a jail  (e.g. /jail/etc/myjail/ipfw.conf)
+the rules inside that config file are added when starting, and deleted
+when stopping  the jail.   E.g. allowing  HTTP/HTTPS traffic  for that
+jail (webserver):
+
+`allow tcp from any to $ip setup keep-state`
+
+As  demonstrated   in  the  previous   rule  `$ip`  is   reserved  and
+automatically  replaced  with  the  jails   own  ip  (as  reported  by
+`jls`). The same  applies to the ipv6 address which  will be available
+as variable `$ip6`.  Also, all variables in the  jails `jail.conf` can
+be used.
+
+In order to make  these ipfw rules available on boot,  you need to add
+the  following line  to `/etc/jail.conf`  in the  section of  the jail
+which uses custom ipfw rules:
+
+`exec.prestart = "/jail/bin/jaildk ipfw $name"`
+

 ## Getting help