host network in jail with minimal setup

Hello,
I have setup jail (FreeBSD 12.0-RELEASE, host is 12.1-RELEASE), I want to allow the jail to have access to host's outside network (em0 and wlan0, can be lo0 too).
I have very basic knowledge of networking (I will really appreciate detailed answer with commands and explanation :) ), I want to set this up ideally without external tools (like ezjail and pf).
Is this possible?
I am aware of security problems behind this solution.
 
PF is not an external tool, it's an integral part of the OS.

Because there are potentially two different external interfaces (em0 and wlan0) that are active this is going to make it a bit more complex. In that case I would probably use a cloned interface lo1 and a new subnet. Tie the jail to that. Then fix routing on your modem/router (assuming this is a fairly standard home internet connection). This is really basic routing, that shouldn't be a problem?
 
I have asked question about setup that is as minimal as possible, currently I do not use pf so I have counted it as "external". Sorry
 
=== WORK IN PROGRESS ===

I'm not done typing yet but I don't want to lose the draft version.

=== WORK IN PROGRESS ===


You could use a if_bridge(4) virtual bridge (switch) to connect your jail to the outside network.

In /etc/rc.conf put the following configuration:
Code:
cloned_interfaces="bridge0"
The next configuration I haven't automated yet (or I probably have but did not document it):
Code:
# ifconfig epair create           // Create an epair
epair0a
# ifconfig bridge0 addm epair0a      // Add one side to the bridge
# ifconfig epair0a name e0a_bridge0  // Rename one side ...
# ifconfig epair0b name e0b_bridge0  // ... and the other side
# ifconfig e0a_bridge0 up
# ifconfig e0b_bridge0 up

The idea here is to create an epair(4) (virtual ethernet cable) to connect your jail to the virtual bridge which connects to the physical network card. One side of the epair gets connected to the bridge, the other you connect to the jail in /etc/jail.conf:
Code:
jail01 {
   vnet;
   vnet.interface = e0b_bridge0;
}
 
Don't use epair with vnet jails, you'll get panic on jail stop with ~20% probability.
That is the first I read or read about this. Do you have any articles or data to back this up? What would you suggest then? Netgraph? Something else?
 
If you want to keep things simple you can use a "plain" jail (no VNET) and bind the jail directly to the wlan0 interface. As long as that jail has an IP address in the same range as the host's wlan0 interface this will work without any further configuration.
 
How to bind jail directly to host's interface?
Code:
     interface
             A network interface to add the jail's IP addresses (ip4.addr and
             ip6.addr) to.  An alias for each address will be added to the
             interface before the jail is created, and will be removed from
             the interface after the jail is removed.
See jail(8)

Can I bind eth0 and wlan0?
Yes, that will work, as long as the jail also has an IP address in the same range.

Example:
Code:
ports {
    host.hostname = "ports.dicelan.home";
    ip4.addr = 192.168.10.202;
    interface = em0;

    path = /jails/j-ports/;
    mount.fstab = /etc/fstab.$name;
}
 
Back
Top