From a041a0d0cbaa08fa0485435507ca89eb94258427 Mon Sep 17 00:00:00 2001 From: Culsu Date: Mon, 30 Nov 2020 22:17:49 +0100 Subject: [PATCH 1/7] Added ipfw.conf functions for jail start/stop, to manage firewalling --- jaildk | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/jaildk b/jaildk index ac98e0e..f2086ca 100755 --- a/jaildk +++ b/jaildk @@ -764,7 +764,7 @@ Create a new jail from template." jaildk_create() { jail=$1 - # $jail gets overwritten in jaildk_clone or some subcall to .template :-( ... + # $jail gets overwritten in jaildk_clone or somewhere... newjail=$jail src=.template @@ -782,7 +782,9 @@ jaildk_create() { jaildk_clone -s $src -d $jail -o $srcversion -n $newversion # some perl magic to extract the hostname (if any) from /etc/jail.conf - and write it into the jails rc.conf jailhostname=$(cat /etc/jail.conf | tr -d '\t\r\n ' | perl -ne '$_ =~ /.*'"$newjail"'(\{(?:\{.*\}|[^{])*\})|\w+/; print $1;' | grep -oE 'hostname=[^;]+' | cut -d= -f2) - [ -n "$jailhostname" ] && sed -iE 's/^hostname.*$/hostname="'"$jailhostname"'"/' $j/etc/$newjail/local-etc-$newversion/rc.conf + echo "new name: $jailhostname" + echo "in path $j/etc/$jail/local-etc-$newversion/rc.conf" + sed -iE 's/^hostname.*$/hostname="'"$jailhostname"'"/' $j/etc/$newjail/local-etc-$newversion/rc.conf } @@ -903,6 +905,7 @@ jaildk_jail() { ;; *) service jail $mode $jail + jaildk_ipfw $jail $mode ;; esac fi @@ -1460,6 +1463,31 @@ jaildk_thaw() { bold "Done. Thawed jail $jail $version from $image." } +jaildk_ipfw() { + jail=$1 + mode=$2 + if [ -f "$j/etc/$jail/ipfw.conf" ]; then + echo + bold "Managing IPFW Rules..." + case $mode in + start) + # Deleting existing rules first to avoid duplicates. + ipfw show | grep -E "// $jail\$" | while read rule; do sh -c "ipfw delete $(echo $rule| awk '{print $1}')"; done + # Getting current jails IP.. + jailip=$(jls | grep -E "$jail\$" | awk '{print $2}') + # Adding rules + cat /jail/etc/revprx/ipfw.conf | awk -v jailname="$jail" '{print "ipfw add "$0" // " jailname}' | sed -E "s/\\\$ip/$jailip/g" | while read rule; do $rule; done + ;; + stop) + # Deleting rules + ipfw show | grep -E "// $jail\$" | while read rule; do bold "Deleting rule $rule"; sh -c "ipfw delete $(echo $rule| awk '{print $1}')"; done + ;; + esac + bold "... done" + echo + fi +} + ########################## # From 62617b89cf11da4b63b1760d50c6d3236882eb8b Mon Sep 17 00:00:00 2001 From: Culsu Date: Mon, 30 Nov 2020 22:22:36 +0100 Subject: [PATCH 2/7] added a security check for overwriting the hostname inside the jails rc.conf --- jaildk | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/jaildk b/jaildk index f2086ca..f2c7d7f 100755 --- a/jaildk +++ b/jaildk @@ -764,7 +764,7 @@ Create a new jail from template." jaildk_create() { jail=$1 - # $jail gets overwritten in jaildk_clone or somewhere... + # $jail gets overwritten in jaildk_clone or some subcall to .template :-( ... newjail=$jail src=.template @@ -782,11 +782,11 @@ jaildk_create() { jaildk_clone -s $src -d $jail -o $srcversion -n $newversion # some perl magic to extract the hostname (if any) from /etc/jail.conf - and write it into the jails rc.conf jailhostname=$(cat /etc/jail.conf | tr -d '\t\r\n ' | perl -ne '$_ =~ /.*'"$newjail"'(\{(?:\{.*\}|[^{])*\})|\w+/; print $1;' | grep -oE 'hostname=[^;]+' | cut -d= -f2) - echo "new name: $jailhostname" - echo "in path $j/etc/$jail/local-etc-$newversion/rc.conf" - sed -iE 's/^hostname.*$/hostname="'"$jailhostname"'"/' $j/etc/$newjail/local-etc-$newversion/rc.conf - - + if [ -n "$jailhostname" ]; then + echo "new name: $jailhostname" + echo "in path $j/etc/$jail/local-etc-$newversion/rc.conf" + sed -iE 's/^hostname.*$/hostname="'"$jailhostname"'"/' $j/etc/$newjail/local-etc-$newversion/rc.conf + fi } remove() { From de04b88e196e958de885e916123d1bd0d6439df2 Mon Sep 17 00:00:00 2001 From: Culsu Date: Mon, 30 Nov 2020 22:37:18 +0100 Subject: [PATCH 3/7] Added ipfw.conf functions for jail start/stop, to manage firewalling --- jaildk | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/jaildk b/jaildk index f2c7d7f..b416867 100755 --- a/jaildk +++ b/jaildk @@ -715,7 +715,7 @@ jaildk_clone() { clone $j/data/$src/www $j/data/$new/www clone $j/data/$src/spool $j/data/$new/spool - ex cp -pRp $j/etc/$src/mount.conf $j/etc/$src/ports.conf $j/etc/$src/mtree.conf $j/etc/$new/ + ex cp -pRp $j/etc/$src/mount.conf $j/etc/$src/ports.conf $j/etc/$src/mtree.conf $j/etc/$src/ipfw.conf $j/etc/$new/ echo "Creating $j/etc/$src/jail.conf" cat $j/etc/$src/jail.conf | egrep -v "^(name|version)=" > $j/etc/$new/jail.conf @@ -1165,6 +1165,9 @@ home/$name/root-$version $name/root nullfs rw' > bold "creating template config $j/etc/.template/ports.conf" (echo bash; echo ca_root_nss) > $j/etc/.template/ports.conf + bold "creating template config $j/etc/.template/ipfw.conf" + touch $j/etc/.template/ipfw.conf + bold "creating template config $j/etc/.template/mtree.conf" # touch $j/etc/.template/mtree.conf echo '/set type=dir uid=0 gid=0 mode=01777 From 3270db0d78c87d721af788c61cb069f792d1466a Mon Sep 17 00:00:00 2001 From: Culsu Date: Mon, 30 Nov 2020 22:42:48 +0100 Subject: [PATCH 4/7] added ipfw section to the readme --- README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/README.md b/README.md index 912e2b3..9675eff 100644 --- a/README.md +++ b/README.md @@ -372,6 +372,18 @@ The last step is to remove the current running jail, change the version in `etc/ If there's anything wrong you can always go back to the previous version using the above steps. +## Advanced Features +Jaildk also offers some advanced features like automatically setting up and deleting ipfw rules or freezing and thawing a jail (to make it easily portable). +### Using the IPFW +To use the IPFW on your host you first have to enable ipfw in your hosts rc.conf `firewall_enable="YES"`. +You probably want to set the default firewalling-type there aswell, check out the [FreeBSD handbook](https://www.freebsd.org/doc/handbook/firewalls-ipfw.html) for further information. +Once enabled you also need to start ipfw by executing the rc script: `/etc/rc.d/ipfw start`. +Be aware that inter-jail communication is transfered via the loopback interface (normally lo0) for which there is a high priority allow any to any rule by default: `allow ip from any to any via lo` +In order to control the inter-jail communication you have to delete this rule first. + +If an ipfw.conf exists for a jail (e.g. /jail/etc/myjail/ipfw.conf) the rules inside that config file are added when starting, and deleted when stopping the jail. +E.g. allowing HTTP/HTTPS traffic for that jail (webserver): `allow tcp from any to $ip setup keep-state` +As in the above rule demonstrated `$ip` is reserved and automatically replaced with the jails own ip (as reported by `jls`). ## Getting help From 5a779ea249800b54b21e6cb2d270951d1ac68653 Mon Sep 17 00:00:00 2001 From: Culsu Date: Mon, 30 Nov 2020 22:45:24 +0100 Subject: [PATCH 5/7] some readme styling.. :-) --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 9675eff..74bacab 100644 --- a/README.md +++ b/README.md @@ -401,6 +401,7 @@ This software is licensed under the BSD license. ## Authors T.v.Dein + F.Sass (Culsu) ## Project homepage From dd55fb6ca5c50d1c375a8c9ccbd413e1a299b34b Mon Sep 17 00:00:00 2001 From: Culsu Date: Mon, 30 Nov 2020 22:48:11 +0100 Subject: [PATCH 6/7] changed some of the new text... --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 74bacab..1938543 100644 --- a/README.md +++ b/README.md @@ -383,7 +383,7 @@ In order to control the inter-jail communication you have to delete this rule fi If an ipfw.conf exists for a jail (e.g. /jail/etc/myjail/ipfw.conf) the rules inside that config file are added when starting, and deleted when stopping the jail. E.g. allowing HTTP/HTTPS traffic for that jail (webserver): `allow tcp from any to $ip setup keep-state` -As in the above rule demonstrated `$ip` is reserved and automatically replaced with the jails own ip (as reported by `jls`). +As demonstrated in the previous rule `$ip` is reserved and automatically replaced with the jails own ip (as reported by `jls`). ## Getting help From 6c544268ed9b66c441614509d767c86045eadd60 Mon Sep 17 00:00:00 2001 From: Culsu Date: Mon, 30 Nov 2020 23:04:30 +0100 Subject: [PATCH 7/7] separated add and delete into their own functions. --- jaildk | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/jaildk b/jaildk index b416867..f30cb85 100755 --- a/jaildk +++ b/jaildk @@ -1474,16 +1474,11 @@ jaildk_ipfw() { bold "Managing IPFW Rules..." case $mode in start) - # Deleting existing rules first to avoid duplicates. - ipfw show | grep -E "// $jail\$" | while read rule; do sh -c "ipfw delete $(echo $rule| awk '{print $1}')"; done - # Getting current jails IP.. - jailip=$(jls | grep -E "$jail\$" | awk '{print $2}') - # Adding rules - cat /jail/etc/revprx/ipfw.conf | awk -v jailname="$jail" '{print "ipfw add "$0" // " jailname}' | sed -E "s/\\\$ip/$jailip/g" | while read rule; do $rule; done + jaildk_ipfw_delete $jail "y" + jaildk_ipfw_add $jail ;; stop) - # Deleting rules - ipfw show | grep -E "// $jail\$" | while read rule; do bold "Deleting rule $rule"; sh -c "ipfw delete $(echo $rule| awk '{print $1}')"; done + jaildk_ipfw_delete $jail ;; esac bold "... done" @@ -1491,6 +1486,22 @@ jaildk_ipfw() { fi } +jaildk_ipfw_add() { + jail=$1 + # Getting current jails IP.. + jailip=$(jls | grep -E "$jail\$" | awk '{print $2}') + # Adding rules + cat $j/etc/$jail/ipfw.conf | awk -v jailname="$jail" '{print "ipfw add "$0" // " jailname}' | sed -E "s/\\\$ip/$jailip/g" | while read rule; do $rule; done + +} + +jaildk_ipfw_delete() { + jail=$1 + noout=$2 + # Deleting rules + ipfw show | grep -E "// $jail\$" | while read rule; do [ -z "$2" ] && bold "Deleting rule $rule"; sh -c "ipfw delete $(echo $rule| awk '{print $1}')"; done + +} ########################## #