Monday, January 26, 2009

Crearea si configurarea jails pe FreeBSD

E nevoie de reconfigurat toate serviciile ruland pe sistemul dat ca sa asculte pe o singura adresa ip , si nu pe toate interfetele posibile.

Exemplu:

SSH - /etc/ssh/sshd_config:
ListenAddress 83.218.221.1

MySQL - /etc/my.cnf:
[mysqld]
bind-address=127.0.0.1

s.a.m.d. apache, mail, samba

Instalarea si configurarea propriu zisa a jail:

# mkdir -p /home/data/jails/192.168.1.3
# cd /usr/src
# make installworld DESTDIR=/home/data/jails/192.168.1.3
# cd /usr/src/etc
# make distribution DESTDIR=/home/data/jails/192.168.1.3

# cd /home/data/jails/192.168.1.3
# ln -sf dev/null kernel
# mount_devfs devfs /home/data/jails/192.168.1.3/dev
# cp /etc/resolv.conf /home/data/jails/192.168.1.3/etc/
# touch /home/data/jails/192.168.1.3/etc/fstab
# mount_nullfs /usr/ports /home/data/jails/192.168.1.3/usr/ports
# mount_nullfs /usr/src /home/data/jails/192.168.1.3/usr/src

# ifconfig lo0 alias 192.168.1.1 netmask 255.255.255.255
# ifconfig lo0 alias 192.168.1.3 netmask 255.255.255.255

# jail /home/data/jails/192.168.1.3 jail3.nafanya.freebsd.su 192.168.1.3 /bin/sh


Urmatoarele etape : schimbarea parola root in jail si crearea unui fisier /etc/rc.conf cu continutul :

hostname="jail3.nafanya.freebsd.su" # Set this!
ifconfig_lo0="inet 192.168.1.3 netmask 255.255.255.255"
defaultrouter="192.168.1.1" # Set to default gateway (or NO).
sshd_enable="YES"



In sistemul de baza, adaugam urmatoarele randuri in /etc/rc.conf :

gateway_enable="YES"
ifconfig_lo0="inet 192.168.1.1 netmask 255.255.255.255"
ifconfig_lo0_alias0="inet 127.0.0.1 netmask 255.0.0.0"
jail_enable="YES"
jail_list="jail3"
jail_jail3_rootdir="/home/data/jails/192.168.1.3"
jail_jail3_hostname="jail3.nafanya.freebsd.su"
jail_jail3_ip="192.168.1.3"
jail_jail3_interface="lo0"
jail_jail3_devfs_enable="YES"
jail_jail3_exec_start="/bin/sh /etc/rc"
jail_jail3_exec_stop="/bin/sh /etc/rc.shutdown"



In /etc/pf.conf se va configura NAT pentru sistemul jail :

lo_int="lo0"
internal_net="192.168.1.0/24"
external_addr="83.218.221.1"

# NAT
nat on $ext_if from $internal_net to any -> ($ext_if)

# redirect la ssh
rdr on $ext_if proto tcp from any to $external_addr port 55222 -> 192.168.1.3 port 22
pass in all
pass out all



Jail-ul este setat sa porneasca automat la startul sistemei.

Linkuri utile :

http://erdgeist.org/arts/software/ezjail/
http://blog.innerewut.de/2005/08/25/freebsd-jails
http://www.samag.ru/cgi-bin/go.pl?q=articles;n=11.2006;a=04
http://www.section6.net/wiki/index.php/Creating_a_FreeBSD_Jail
http://www.freebsddiary.org/jail-multiple.php

Articolul original ( rusa ) >>

No comments:

Post a Comment