-
-
Save igalic/87ba10c1c5611ed32367d5d48ef5f402 to your computer and use it in GitHub Desktop.
jail.conf setup with IPv4 and IPv6 on VNET
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# General rules, these could live in jail.conf | |
persist; | |
mount.devfs; | |
path = "/isolates/$name/root"; | |
host.hostname = $name; | |
exec.clean; | |
exec.stop = "/bin/sh /etc/rc.shutdown jail"; | |
vnet; | |
$bridge = "bridge0"; | |
# rules specific to this jail: | |
webserver { | |
$id = "10"; | |
$jepair = "epair${id}b"; | |
$ipaddr = "192.168.17.${id}/24"; | |
$ip6addr = "2a01:4f9:c010:c64c::${id}/64"; | |
$gw = "192.168.17.1"; | |
$gw6 = "2a01:4f9:c010:c64c::1"; | |
mount.fstab = "/isolates/$name/fstab"; | |
vnet.interface = "$jepair"; | |
exec.prestart = "ifconfig epair${id} create up"; | |
exec.prestart += "ifconfig epair${id}a up descr vnet-${name}"; | |
exec.prestart += "ifconfig $bridge addm epair${id}a up"; | |
exec.start = "/sbin/ifconfig lo0 127.0.0.1 up"; | |
exec.start += "/sbin/ifconfig epair${id}b ${ipaddr}"; | |
exec.start += "/sbin/ifconfig epair${id}b inet6 ${ip6addr}"; | |
exec.start += "/sbin/route add default ${gw}"; | |
exec.start += "/sbin/route add -inet6 default ${gw6}"; | |
exec.start += "/bin/sh /etc/rc"; | |
exec.prestop = "ifconfig epair${id}b -vnet ${name}"; | |
exec.poststop = "ifconfig $bridge deletem epair${id}a"; | |
exec.poststop += "ifconfig epair${id}a destroy"; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# disable vtnet TCP large receive offload (LRO) and TCP segmentation offload (TSO) | |
# until they are not buggy any more: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235607 | |
hw.vtnet.lro_disable="1" | |
hw.vtnet.tso_disable="1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
scrub in all fragment reassemble | |
nat pass on vtnet0 inet from 192.168.17.0/24 to any -> (vtnet0:0) | |
webserver = 192.168.17.10 | |
rdr on vtnet0 inet proto tcp from any to any port 80 -> $webserver port 80 | |
rdr on vtnet0 inet proto tcp from any to any port 443 -> $webserver port 443 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# jails setup | |
jail_enable="YES" | |
jail_list="webserver" | |
# including syslog! | |
syslogd_flags="-sH" | |
altlog_jaillist="webserver" | |
# network! | |
hostname=fbsd12-pkgbase-hel | |
ifconfig_vtnet0="DHCP -lro -tso" | |
cloned_interfaces="bridge0" | |
# jail NAT and Network access | |
ifconfig_bridge0="inet 192.168.17.1/24" | |
gateway_enable="YES" | |
# working IPv6 setup needs link-local addresses (according to the spec) | |
ipv6_activate_all_interfaces="YES" | |
ifconfig_bridge0_ipv6="inet6 2a01:4f9:c010:c64c::1/64 auto_linklocal" | |
ipv6_defaultrouter="fe80::1%vtnet0" | |
# enable IPv6 gateway | |
ipv6_gateway_enable="YES" | |
# firewall (well, NAT for now) | |
pf_enable="YES" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment