Prepare the system
In order to create jails you will need /usr/obj populated with the result of make buildworld.
Update /usr/src as usual then:
# chflags -R noschg /usr/obj/* # rm -rf /usr/obj/* # cd /usr/src # make buildworld
Install ezjail on host system:
# cd /usr/ports/sysutils/ezjail # make install clean
Add to /etc/rc.conf:
Prepare hostname and ip address for each jail
You have to options here:
- Register a hostname for a spare address of one of your external interfaces with your DNS server.
- Create an alias on local interface and organize access from outside using firewall forwarding or using a reverse proxy.
I will show the first approach here. If, for example, you have three Internet addresses on your interface (/etc/rc.conf):
ifconfig_re0="inet 188.8.131.52/24" ifconfig_re0_alias0="inet 184.108.40.206/24" ifconfig_re0_alias1="inet 220.127.116.11/24"
You can use the first one for the host system and the aliases for the jails.
Most of the daemons on the host system bind to 0.0.0.0 by default, i.e. to all the ip addresses available. This means that they also use the ip addresses asigned to jails. Obviously if you want sshd in your jail, for example, you have to reconfigure sshd on the host to bind to specific host ip address and sshd of the jail to bind to jail ip only.
Refer to jail(8) for description of sysctl variables available.
For example, to allow ping from inside the jail use (on the host):
# sysctl security.jail.allow_raw_sockets=1
Restart the jails after changing the variable.