I've noticed that OPNsense version 25.1 does not include the jail module in the FreeBSD system (14.2-RELEASE).
Also, I'm unsure how to add the FreeBSD repository to the OPNsense system.
I've googled all the articles and resources from relevant forums, but they all refer to old versions. The new version doesn't seem to include the jail functionality (or have I missed something?)
I want to install additional packages. Are there any recommended methods? (Like Guacamole)
I've also checked out https://github.com/opnsense/tools/issues/91.
Although it's not officially supported, I want to try installing it myself and use my OPNsense installation to replace Fortigate products.
Quote from: jjasoncool on February 06, 2025, 08:59:02 AMI've noticed that OPNsense version 25.1 does not include the jail module in the FreeBSD system (14.2-RELEASE).
What exactly do you mean by "jail module"?
Jails are a standard part of FreeBSD. As far as I can see all the bits including e.g. jail(8), jls(8), etc. are present.
+suggestion: don't add the freeBSD repository unless you are very comfortable dealing with package & dependencies conflicts both running and at upgrade time of the firewall.
Normally a quick enable of the repo for a small package without dependencies followed by a disablement is OK though.
Quote from: Patrick M. Hausen on February 06, 2025, 10:01:18 AMQuote from: jjasoncool on February 06, 2025, 08:59:02 AMI've noticed that OPNsense version 25.1 does not include the jail module in the FreeBSD system (14.2-RELEASE).
What exactly do you mean by "jail module"?
Jails are a standard part of FreeBSD. As far as I can see all the bits including e.g. jail(8), jls(8), etc. are present.
Because I can't see any setting files in
/etc/jail.conf.d/ directory.
I want to confirm something: when I install packages in a jail, will they be treated as parallel to OPNsense (like a device on the WAN) or under OPNsense (like under an IP assigned by OPNsense)?
I apologize for my many questions; I'm still a beginner, so there's a lot I don't understand. I've tried Googling for related documentation, but there's very little about configuring Guacamole alongside OPNsense; most information is about setting it up on OPNsense's backend.
However, my goal is for the network traffic to initially go through OPNsense, and then for OPNsense's security measures to control the Guacamole inside the jail.
Thank you to everyone who kindly helps me.
There are no files in that directory by default. You are supposed to create them from scratch following the documentation. This is the same on standard FreeBSD.
A jail is a lightweight virtual environment. It contains a complete operating system and packages independent from OPNsense.
Still I would advise against running any additional software on a security appliance. Even more so if you are not experienced in that matter. Use a different system for your jail experiments. A virtual machine will do fine.
Quote from: Patrick M. Hausen on February 06, 2025, 10:31:27 AMThere are no files in that directory by default. You are supposed to create them from scratch following the documentation. This is the same on standard FreeBSD.
A jail is a lightweight virtual environment. It contains a complete operating system and packages independent from OPNsense.
Still I would advise against running any additional software on a security appliance. Even more so if you are not experienced in that matter. Use a different system for your jail experiments. A virtual machine will do fine.
Thank you for your answers; I will proceed with researching jails. From what I understand, jails seem to function similarly to containers in Docker, which might mean they are less likely to impact the security of the OPNsense main system, right?Additionally, if I use a virtual machine, I'm concerned that OPNsense won't be able to manage and control the physical hardware directly. Are there any recommended approaches for this?
Also,
I can't find the `iocage` package on OPNsense. Does this make managing jails more troublesome?I currently have a physical device intended to serve as a firewall and VPN gateway. Since Docker isn't available on FreeBSD, I'm not very familiar with jails.Thank you.
I meant you should use an additional physical machine and not your firewall. You can run a FreeBSD VM on that system to experiment with jails until you are more familiar with them without risking your central security appliance.
Yes, jails are the original container developed before Docker even existed, then adopted into Solaris. But installing anything additional that does not belong to the firewall distribution is always a huge risk. I would not run Docker on a Linux based firewall, either.
Yes, iocage makes managing jails a bit easier. Then it also increases the attack surface.
My recommendation: don't run applications, jailed or not, on your most important security device. You can follow that or not. You do you.
Quote from: Patrick M. Hausen on February 06, 2025, 07:13:32 PMI meant you should use an additional physical machine and not your firewall. You can run a FreeBSD VM on that system to experiment with jails until you are more familiar with them without risking your central security appliance.
Yes, jails are the original container developed before Docker even existed, then adopted into Solaris. But installing anything additional that does not belong to the firewall distribution is always a huge risk. I would not run Docker on a Linux based firewall, either.
Yes, iocage makes managing jails a bit easier. Then it also increases the attack surface.
My recommendation: don't run applications, jailed or not, on your most important security device. You can follow that or not. You do you.
Thank you very much for your response.
I will follow your advice.
But here's another concern of mine:
There are many apps available for installation within the package system, like PHP, Zabbix, Caddy, etc.
Should these also be avoided as much as possible to minimize risk?