The latest version of jaildk supports FreeBSD vnet networking and pf filter rule generation.
For vnet support you need to configure the following in your rc.conf
# internal bridge to vnet jails
cloned_interfaces="bridge0"
# v6 address of the bridge (must be reachable from the internet)
# I just created a subnet of my official /64
ipv6_ifconfig_bridge0="2a01:*:*:80e1:1e::1/80"
# v4 RFC address, this will be the default gw for jails
ifconfig_bridge0="name jailsw0 up 172.20.20.1/24"
# allow routing
gateway_enable="YES"
ipv6_gateway_enable="YES"
Next you need to configure your jail for vnet support:
myjail {
vnet;
exec.created = "/jail/bin/jaildk vnet $name start -b jailsw0";
exec.prestop = "/jail/bin/jaildk vnet $name stop -b jailsw0";
}
This will automatically configure vnet networking for the jail, it wil also configure IP inside the jail, including v4+v6 routing.
Finally in order to be reachable you’ll need to have a jail.conf
like this:
base=12.2-RELEASE-p7
name=myjail
version=20210521
# vnet config
ip="172.20.20.33/24"
ip6="2a01:*:*:80e1::33"
gw="172.20.20.1"
gw6="2a01:*:*:80e1:1e::1"
myjail4="144.*.*.249"
# incoming maps
maps="prom web"
# allow and nat incoming v4 web access
map_web_exposed_port="80 443"
map_web_exposed_ip="$myjail4"
# allow and nat incoming v4 prometheus access
map_prom_exposed_port="9100 8888"
map_prom_exposed_ip="$myjail4"
map_prom_allow_from="iapetus.prometheus.finca"
# outgoing masquerading (v6 will be routed)
masq_ip="$myjail4"
# allow incoming v6, this will just be routed to us
rules="web"
rule_web_proto="tcp"
rule_web_port="{80,443}"
And last but not least, you need to have a local dns cache inside your jail
or run one on your host on the bridge ip address (172.20.20.1 in my case) and
use this in your jails resolv.conf
. Just in case this is my unbound.conf
:
server:
directory: "/var/unbound"
pidfile: "/var/run/local_unbound.pid"
interface: 127.0.0.1
interface: 172.20.20.1
interface: 2a01:*:*:80e1:1e::1
interface: ::1
cache-max-ttl: 14400
cache-min-ttl: 1200
hide-identity: yes
hide-version: yes
prefetch: yes
rrset-roundrobin: yes
so-reuseport: yes
use-caps-for-id: yes
verbosity: 1
outgoing-range: 465
num-queries-per-thread: 256
use-syslog: yes
log-servfail: yes
root-hints: /var/unbound/root.hints
access-control: 127.0.0.0/8 allow
access-control: ::ffff:127.0.0.1 allow
access-control: ::1 allow
access-control: fe80::/10 allow
access-control: 172.20.20.0/24 allow
access-control: 2a01:*:*:80e1:1e::/80 allow
local-zone: "17.172.in-addr.arpa." nodefault
local-zone: "20.172.in-addr.arpa." nodefault
local-zone: "27.172.in-addr.arpa." nodefault
local-zone: "16.172.in-addr.arpa." nodefault
local-zone: "168.192.in-addr.arpa." nodefault
remote-control:
control-enable: yes
control-interface: /var/run/local_unbound.ctl
control-use-cert: no
forward-zone:
name: .
forward-addr: 213.133.98.98
forward-addr: 213.133.99.99
forward-addr: 213.133.100.100
forward-addr: 2a01:4f8:0:1::add:1010
forward-addr: 2a01:4f8:0:1::add:9999
forward-addr: 2a01:4f8:0:1::add:9898
If everything is setup correctly it should look like this:
root@host: # ifconfig jailsw0| sed 's/scipown/myjail/g'
jailsw0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 02:bd:fc:61:71:01
inet 172.20.20.1 netmask 0xffffff00 broadcast 172.20.20.255
inet6 2a01:*:*:80e1:1e::1 prefixlen 80
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto stp-rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: epmyjail.h flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 5 priority 128 path cost 2000
groups: bridge
nd6 options=1<PERFORMNUD>
root@host: # pfctl -a /jail/myjail-jaildk -s nat
nat on em0 inet from 172.20.20.33 to any -> 144.*.*.249
rdr pass on em0 inet proto tcp from 185.*.*.170 to 144.*.*.249 port = jetdirect -> 172.20.20.33 port 9100
rdr pass on em0 inet proto tcp from 185.*.*.170 to 144.*.*.249 port = 8888 -> 172.20.20.33 port 8888
rdr pass on em0 inet proto tcp from any to 144.*.*.249 port = http -> 172.20.20.33 port 80
rdr pass on em0 inet proto tcp from any to 144.*.*.249 port = https -> 172.20.20.33 port 443
root@host: # pfctl -a /jail/scipown-jaildk -s rules
pass in quick on em0 inet6 proto tcp from any to 2a01:*:*:80e1::33 port = http flags S/SA keep state
pass in quick on em0 inet6 proto tcp from any to 2a01:*:*:80e1::33 port = https flags S/SA keep state
root@host: # jaildk login myjail
###### NOW WE ARE INSIDE THE JAIL #####
root@jail: # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0<> metric 0 mtu 33160
groups: pflog
epmyjail.j: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:7e:0c:c3:18:0b
inet6 fe80::7e:cff:fec3:180b%epscipown.j prefixlen 64 tentative scopeid 0x3
inet6 2a01:*:*:80e1::33 prefixlen 64 tentative
inet 172.20.20.33 netmask 0xffffff00 broadcast 172.20.20.255
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
root@jail: # netstat -rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 172.20.20.1 UGS epscipow
127.0.0.1 link#1 UH lo0
172.20.20.0/24 link#3 U epscipow
172.20.20.33 link#3 UHS lo0
Internet6:
Destination Gateway Flags Netif Expire
::/96 ::1 UGRS lo0
default 2a01:4f8:191:80e1:1e::1 UGS epscipow
::1 link#1 UH lo0
::ffff:0.0.0.0/96 ::1 UGRS lo0
2a01:4f8:191:80e1::/64 link#3 U epscipow
2a01:4f8:191:80e1::33 link#3 UHS lo0
fe80::/10 ::1 UGRS lo0
fe80::%lo0/64 link#1 U lo0
fe80::1%lo0 link#1 UHS lo0
fe80::%epscipown.j/64 link#3 U epscipow
fe80::dc:7aff:fea2:580b%epscipown.j link#3 UHS lo0
ff02::/16 ::1 UGRS lo0
root@jail: # ping -c 1 141.1.1.1
PING 141.1.1.1 (141.1.1.1): 56 data bytes
64 bytes from 141.1.1.1: icmp_seq=0 ttl=55 time=12.702 ms
--- 141.1.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 12.702/12.702/12.702/0.000 ms