OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: fbar on March 08, 2017, 01:49:54 am

Title: OPNSense 17.X and Jails
Post by: fbar on March 08, 2017, 01:49:54 am

Greetings,

I would like to run a jail inside OPNSense 17.1.  I have a decent firewall 2 core, 8G RAMwith 512GB SSD more than enough for a FW and a SONOS music server. I just want to run Samba 4 as a simple file server for my SONOS music system. I really dont want to run freenas or another seperate server. Is there instructions on how to do this on OPNSense and is there a OPNSense jail tarball I can use ?

Thanks.

Title: Re: OPNSense 17.X and Jails
Post by: bartjsmit on March 08, 2017, 02:25:31 pm

Why not run a dedicated hypervisor? Is your CPU 64 bit?

Bart...

Title: Re: OPNSense 17.X and Jails
Post by: fbar on March 08, 2017, 04:40:40 pm

I didnt want it to be that complicated. Actually, I would have just preferred a plugin or samba pkg to run on the firewall itself. I know its frowned upon but its just a simple server. I thought the next best step is to run samba in a jail.  I like the GUI and simplicity of OPNSense though. I suppose if I have to I can go back to running a full server (OpenBSD). I dont really want to compile packages, run hyprvisors etc. just to stream music. Ill wait to see what others suggest over the next few days.

Thanks.

Title: Re: OPNSense 17.X and Jails
Post by: djGrrr on March 08, 2017, 08:57:40 pm

The instructions for OPNsense would really be no different than for FreeBSD, and you can use the FreeBSD tarballs to create the jail filesystem.

Title: Re: OPNSense 17.X and Jails
Post by: fbar on March 09, 2017, 01:24:12 am

Thats what I wanted to confirm -  use FreeBSD 11.x tarballs.
I didnt know if OPNSense was drastically that different. I suppose as long as the Kernel versions are in sync then I should be ok.

Ok, I will try that and see what happens.

/rs

Title: Re: OPNSense 17.X and Jails
Post by: djGrrr on March 09, 2017, 01:52:38 am

jails use the system kernel, not it's own, so you don't need to even install a kernel into the jail

Title: Re: OPNSense 17.X and Jails
Post by: franco on March 09, 2017, 07:50:35 am

I could be wrong but the way that pf works it's not easily possible to set up a jailed environment as access to /dev/pf will be able to reconfigure the non-jailed host as well?


Cheers,
Franco

Title: Re: OPNSense 17.X and Jails
Post by: fbar on March 09, 2017, 06:12:18 pm

Here are the instructions on how I got a jail to work in OPNSense 17.1:


# Contents of /etc/rc.conf.d/jail

jail_enable="YES"       # Set to NO to disable starting of any jails
jail_parallel_start="YES"       # Start jails in the background
jail_list=""            # Space separated list of names of jails
jail_reverse_stop="NO"  # Stop jails in reverse order

# End of /etc/rc.conf.d/jail

# Contents of /etc/jail.conf

allow.raw_sockets = 0;
exec.clean;
exec.system_user = "root";
exec.jail_user = "root";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.consolelog = "/var/log/jail_${name}_console.log";
mount.devfs;
mount.fstab = "/etc/fstab.$name";
allow.mount;
allow.set_hostname = 0;
allow.sysvipc = 0;
path = "/jails/${name}";

nas {
        host.hostname = "nas.ads.local";
        interface = bge1;
        ip4.addr = 10.xxx.xxx.32;
        allow.raw_sockets = 1;
}

# End of /etc/jail.conf

# Run these commands at shell prompt

touch /etc/fstab.nas
mkdir -p /jails/nas
mkdir -p /jails/11R
cd /jails/11R

fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/11.0-RELEASE/base.txz
tar -JxvC /jails/nas/ -f base.txz

cp /etc/resolv.conf /jails/nas/etc/
cp /etc/localtime /jails/nas/etc/

# Now switch to the root of the jail and change root passwd, mail aliases and
# update the jail release.

chroot /jails/nas /bin/csh

passwd
mkdir /usr/ports
mkdir /usr/home
ln -s /usr/home /home
cd /etc/mail
make aliases
freebsd-update fetch install

grep ssh /etc/defaults/rc.conf > /etc/rc.conf.d/sshd

# Contents of /etc/rc.conf.d/sshd inside the jail

sshd_enable="YES"               # Enable sshd
sshd_program="/usr/sbin/sshd"   # path to sshd, if you want a different one.
sshd_flags=""                   # Additional flags for sshd.
# End of /etc/rc.conf.d/sshd inside the jail




# Exit the jail
exit

# I needed to enable posix acls in OPNSense for samba
# Contents of /etc/fstab

# Device                Mountpoint      FStype  Options         Dump    Pass#
/dev/ada0s1a            /               ufs     rw,acls         1       1
/dev/ada0s1b            none            swap    sw              0       0
# End of /etc/fstab



# reboot OPNSense firewall, ssh back in , the jail should be running

jls

root@OPNSense:/etc # jls
   JID  IP Address      Hostname                      Path
     5  10.xxx.xxx.32     nas.ads.local                 /jails/nas

# you can now ssh into the jail via IP or use jexec. Set Permitrootlogin if you want to ssh in as root in jail.
# otherwise use jexec to loginto jail
jexec 5 /bin/csh

root@nas:~ #

# update pkg database

pkg update


# Install samba **** samba 44 is broken in freebsd - just core dumps
# install 43 instead. Maybe samba45 will fix the issue

pkg install samba43-4.3.13_1.txz

# Follow the rest of Samba install . I used standalone model, you can also run as a dc, etc.

Title: Re: OPNSense 17.X and Jails
Post by: fbar on March 09, 2017, 06:16:55 pm

One last thing, I added a rule in my firewall to allow LocalNet to LocalNet for any any. Not sure how restrictive others may have their rule base but you need to allow access to the jail from other hosts or pf will drop the connections.

Regards

Title: Re: OPNSense 17.X and Jails
Post by: franco on March 11, 2017, 04:02:10 pm

Sorry, I mistakenly assumed you wanted OPNsense to run in a jail, but this is obviously about jails on OPNsense. I'll be quiet now and thanks for the detailed steps. :)


Cheers,
Franco