Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
OPNSense 17.X and Jails
« previous
next »
Print
Pages: [
1
]
Author
Topic: OPNSense 17.X and Jails (Read 10046 times)
fbar
Newbie
Posts: 11
Karma: 1
OPNSense 17.X and Jails
«
on:
March 08, 2017, 01:49:54 am »
Greetings,
I would like to run a jail inside OPNSense 17.1. I have a decent firewall 2 core, 8G RAMwith 512GB SSD more than enough for a FW and a SONOS music server. I just want to run Samba 4 as a simple file server for my SONOS music system. I really dont want to run freenas or another seperate server. Is there instructions on how to do this on OPNSense and is there a OPNSense jail tarball I can use ?
Thanks.
Logged
bartjsmit
Hero Member
Posts: 2016
Karma: 194
Re: OPNSense 17.X and Jails
«
Reply #1 on:
March 08, 2017, 02:25:31 pm »
Why not run a dedicated hypervisor? Is your CPU 64 bit?
Bart...
Logged
fbar
Newbie
Posts: 11
Karma: 1
Re: OPNSense 17.X and Jails
«
Reply #2 on:
March 08, 2017, 04:40:40 pm »
I didnt want it to be that complicated. Actually, I would have just preferred a plugin or samba pkg to run on the firewall itself. I know its frowned upon but its just a simple server. I thought the next best step is to run samba in a jail. I like the GUI and simplicity of OPNSense though. I suppose if I have to I can go back to running a full server (OpenBSD). I dont really want to compile packages, run hyprvisors etc. just to stream music. Ill wait to see what others suggest over the next few days.
Thanks.
Logged
djGrrr
Full Member
Posts: 112
Karma: 22
Re: OPNSense 17.X and Jails
«
Reply #3 on:
March 08, 2017, 08:57:40 pm »
The instructions for OPNsense would really be no different than for FreeBSD, and you can use the FreeBSD tarballs to create the jail filesystem.
Logged
fbar
Newbie
Posts: 11
Karma: 1
Re: OPNSense 17.X and Jails
«
Reply #4 on:
March 09, 2017, 01:24:12 am »
Thats what I wanted to confirm - use FreeBSD 11.x tarballs.
I didnt know if OPNSense was drastically that different. I suppose as long as the Kernel versions are in sync then I should be ok.
Ok, I will try that and see what happens.
/rs
Logged
djGrrr
Full Member
Posts: 112
Karma: 22
Re: OPNSense 17.X and Jails
«
Reply #5 on:
March 09, 2017, 01:52:38 am »
jails use the system kernel, not it's own, so you don't need to even install a kernel into the jail
Logged
franco
Administrator
Hero Member
Posts: 17657
Karma: 1611
Re: OPNSense 17.X and Jails
«
Reply #6 on:
March 09, 2017, 07:50:35 am »
I could be wrong but the way that pf works it's not easily possible to set up a jailed environment as access to /dev/pf will be able to reconfigure the non-jailed host as well?
Cheers,
Franco
Logged
fbar
Newbie
Posts: 11
Karma: 1
Re: OPNSense 17.X and Jails
«
Reply #7 on:
March 09, 2017, 06:12:18 pm »
Here are the instructions on how I got a jail to work in OPNSense 17.1:
# Contents of /etc/rc.conf.d/jail
jail_enable="YES" # Set to NO to disable starting of any jails
jail_parallel_start="YES" # Start jails in the background
jail_list="" # Space separated list of names of jails
jail_reverse_stop="NO" # Stop jails in reverse order
# End of /etc/rc.conf.d/jail
# Contents of /etc/jail.conf
allow.raw_sockets = 0;
exec.clean;
exec.system_user = "root";
exec.jail_user = "root";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.consolelog = "/var/log/jail_${name}_console.log";
mount.devfs;
mount.fstab = "/etc/fstab.$name";
allow.mount;
allow.set_hostname = 0;
allow.sysvipc = 0;
path = "/jails/${name}";
nas {
host.hostname = "nas.ads.local";
interface = bge1;
ip4.addr = 10.xxx.xxx.32;
allow.raw_sockets = 1;
}
# End of /etc/jail.conf
# Run these commands at shell prompt
touch /etc/fstab.nas
mkdir -p /jails/nas
mkdir -p /jails/11R
cd /jails/11R
fetch
ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/11.0-RELEASE/base.txz
tar -JxvC /jails/nas/ -f base.txz
cp /etc/resolv.conf /jails/nas/etc/
cp /etc/localtime /jails/nas/etc/
# Now switch to the root of the jail and change root passwd, mail aliases and
# update the jail release.
chroot /jails/nas /bin/csh
passwd
mkdir /usr/ports
mkdir /usr/home
ln -s /usr/home /home
cd /etc/mail
make aliases
freebsd-update fetch install
grep ssh /etc/defaults/rc.conf > /etc/rc.conf.d/sshd
# Contents of /etc/rc.conf.d/sshd inside the jail
sshd_enable="YES" # Enable sshd
sshd_program="/usr/sbin/sshd" # path to sshd, if you want a different one.
sshd_flags="" # Additional flags for sshd.
# End of /etc/rc.conf.d/sshd inside the jail
# Exit the jail
exit
# I needed to enable posix acls in OPNSense for samba
# Contents of /etc/fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/ada0s1a / ufs rw,acls 1 1
/dev/ada0s1b none swap sw 0 0
# End of /etc/fstab
# reboot OPNSense firewall, ssh back in , the jail should be running
jls
root@OPNSense:/etc # jls
JID IP Address Hostname Path
5 10.xxx.xxx.32 nas.ads.local /jails/nas
# you can now ssh into the jail via IP or use jexec. Set Permitrootlogin if you want to ssh in as root in jail.
# otherwise use jexec to loginto jail
jexec 5 /bin/csh
root@nas:~ #
# update pkg database
pkg update
# Install samba **** samba 44 is broken in freebsd - just core dumps
# install 43 instead. Maybe samba45 will fix the issue
pkg install samba43-4.3.13_1.txz
# Follow the rest of Samba install . I used standalone model, you can also run as a dc, etc.
Logged
fbar
Newbie
Posts: 11
Karma: 1
Re: OPNSense 17.X and Jails
«
Reply #8 on:
March 09, 2017, 06:16:55 pm »
One last thing, I added a rule in my firewall to allow LocalNet to LocalNet for any any. Not sure how restrictive others may have their rule base but you need to allow access to the jail from other hosts or pf will drop the connections.
Regards
Logged
franco
Administrator
Hero Member
Posts: 17657
Karma: 1611
Re: OPNSense 17.X and Jails
«
Reply #9 on:
March 11, 2017, 04:02:10 pm »
Sorry, I mistakenly assumed you wanted OPNsense to run in a jail, but this is obviously about jails on OPNsense. I'll be quiet now and thanks for the detailed steps.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
OPNSense 17.X and Jails