# Running a FreeBSD server with jails



## wlanboy (Nov 16, 2013)

My first touch with BSD was a shell account on FreeBSD 4.2. 13 years later (ouch I am old) FreeBSD shines on version 9.2.

If you have a dev box (KVM) which is idling take it and install FeeBSD on it.

It is Unix but it does not bite if you know how to handle everything.

If your start your KVM the little devil boy is greeting you:



I will not show every single step (e.g. network with dhcp auto config is boring) but I want to show how easy it is to install FeeBSD.



No live system - we want to install that thing.



Name the machine (a fqn would be nice)



It is a KVM, so just go the guided way for the full hd.



Just select every package.



And a root password.



And a user too - if you want.

And your network config.



SSH server would be nice.



Exit to save your config.



And done.

How do I update the system?


freebsd-update fetch
freebsd-update install

Heck nothing is working and I am not able to connect to my vps!

Yup your system is running but it is running as designed -> Save.

So your ssh daemon is only listeing on localhost.

Next thing is the update of your ports:


portsnap fetch
portsnap extract
portsnap update

What are ports?

The FreeBSD ports collection offers a simple way to install applications. There are currently over 20000 ports available.

It is a list of make files and package dependencies. You can go into one folder and make your tool of choice right out of the source code.

Let's start with nano:


cd /usr/ports/editors/nano
make install clean

This will compile and install "nano" to your system.

You should run following command at the end:


ln -s /usr/local/bin/nano /usr/bin/nano

Why?

Because BSD is separating the operating system from the services.

SSH is part of the system so it's config is in: /etc/ssh/...

Lighttpd is a service so it's config is in: /usr/local/etc/lighttpd/...

A nice separation of concerns.

For nano a "hand made" compile does not make a lot of sense. So there are binary packages too:


pkg_add -r -v nano

This will install nano too. But without the console cinema of the gnu compiler.

So how should you install things?

Depends on what you want to do. If you want to tweak or enable some flags you should use ports. You can even edit the source code too.

Lighttpd is a good example. I used ports to install lighttpd because of the compiler flags you can set.



Same with php, sqlite, etc.
 

You can start lighttpd with following command:


/usr/local/etc/rc.d/lighttpd restart

Output is:


Cannot 'restart' lighttpd. 
Set lighttpd_enable to YES in /etc/rc.conf or use 'onerestart' instead of 'restart'.

So we have to enable lighttpd in rc.conf to be a valid service:


echo 'lighttpd_enable="YES"' >> /etc/rc.conf


```
/usr/local/etc/rc.d/lighttpd restart
Performing sanity check on lighttpd configuration:
Syntax OK
Stopping lighttpd.
Waiting for PIDS: 10229.
Starting lighttpd.
```
Fastest way:


pkg_add -r -v lighttpd

So back to some basic tools if FreeBSD:


pkg_add -r -v bash
pkg_add -r -v nano
pkg_add -r -v lynx

To get some basic Debian feeling back.

There is no "free" but "vmstat" does the job too:


vmstat
procs memory page disks faults cpu
r b w avm fre flt re pi po fr sr vt0 cd0 in sy cs us sy id
0 0 0 386M 1256M 25 0 0 0 26 0 0 0 3 103 160 0 0 100


Same with netstat -taupen - unkown parameters. So use netstat -an | egrep 'LISTEN' instead:


netstat -an | egrep 'Proto|LISTEN'
netstat: kvm not available: /dev/mem: No such file or directory
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 10.10.10.10.80 *.* LISTEN
tcp4 0 0 10.10.10.10.25 *.* LISTEN
tcp4 0 0 10.10.10.10.22 *.* LISTEN

But back to topic. If you want to run some of your loved tools google for it. FreeBSD does have a Linux support layer too. So every Linux tool can be run under FreeBSD too.

We now want to install ezjail.


cd /usr/ports/sysutils/ezjail
make install clean
echo 'ezjail_enable="YES"' >> /etc/rc.conf

ezjail-admin install

Last command will "generate the world" it fetches everything needed to setup an ezjail environment (a FreeBSD inside of FreeBSD).

Now we add a new interface to our box by editing the /etc/rc.conf:


gateway_enable="YES"
cloned_interfaces="lo10"
ifconfig_lo10_alias0="inet 10.10.10.1 netmask 255.255.255.0"
ifconfig_lo10_alias1="inet 10.10.10.10 netmask 255.255.255.0"

First line will enable the ip forwarding.

Second line creates a new loopback device.

The last two lines add IP addresses to the interface.

I don't want to give the jails access to the localhost interface or any public ip. I want to decide which connection to a jail is allowed. So this is the best way to separate the networks.

The alias1 will be used for my first jail. Jails can only use ips that are allready in use by the host system.

So time for a reboot.


shutdown -r now

Ok at least this is like a Debian system ;-)

So lets install a jail:


ezjail-admin create -r /jails/webjail webjail 10.10.10.10

Folder for the jail filesystem name and first ip address.

You can edit the configuration with following command (reminder "webjail" is the name of the jail)


nano /usr/local/etc/ezjail/web

Conent is:


# To specify the start up order of your ezjails, use these lines to
# create a Jail dependency tree. See rcorder(8) for more details.
#
# PROVIDE: standard_ezjail
# REQUIRE:
# BEFORE:
#

export jail_web_hostname="webjail"
export jail_web_ip="10.10.10.10"
export jail_web_rootdir="/jails/webjail"
export jail_web_exec_start="/bin/sh /etc/rc"
export jail_web_exec_stop=""
export jail_web_mount_enable="YES"
export jail_web_devfs_enable="YES"
export jail_web_devfs_ruleset="devfsrules_jail"
export jail_web_procfs_enable="YES"
export jail_web_fdescfs_enable="YES"
export jail_web_image=""
export jail_web_imagetype=""
export jail_web_attachparams=""
export jail_web_attachblocking=""
export jail_web_forceblocking=""
export jail_web_zfs_datasets=""
export jail_web_cpuset=""
export jail_web_fib=""
export jail_web_parentzfs=""
export jail_web_parameters=""
export jail_web_post_start_script=""

The jail itself (because we are not using any template) is missing some files:

1. DNS config:


cp /etc/resolve.conf /jails/webjail/etc/

2. rc.conf


echo 'sshd_enable="YES"' >> /jails/webjail/etc/rc.conf

3. Edit sshd config to listen to 10.10.10.10


nano /jails/webjail/etc/ssh/sshd_config

And add the line:


ListenAddress 10.10.10.10

We are now able to see our jail with jls:


jls -v
JID Hostname Path
Name State
CPUSetID
IP Address(es)
2 web /jails/web
web ACTIVE
2
10.10.10.10

We can now start and stop the jail:


ezjail-admin start webjail
ezjail-admin stop webjail

And enter the jail too:


ezjail-admin console webjail

But the jail itself will not have any internet access.

This can be done by pf:

We have to enable pf and set some parameters in /etc/rc.conf:


pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_logfile="/var/log/pflog"
pf_flags=""

And of course set the pf rules in /etc/pf.conf:


external_if="vtnet0"
jail_if="lo10"

IP_PUBLIC="my real ip"
IP_JAIL_WWW="10.10.10.10"

NET_JAIL="10.10.10.0/24"

PORT_WWW="{80,443}"

scrub in all

# nat jail traffic
nat pass on $external_if from $NET_JAIL to any -> $IP_PUBLIC

# web forward
rdr pass on $external_if proto tcp from any to $IP_PUBLIC port $PORT_WWW -> $IP_JAIL_WWW

# demo only, passing all traffic
pass out
pass in

Yup I like the syntax of pf.

I am inside of a KVM so "vtnet0" is my "em0" or "eth0" - the one with the internet connection.

Well it just nats everything from the jail network to the real internet and allows the jail to serve the port 80 and 443.

Inside of the jail I run:


pkg_add -r -v bash nano lighttpd
echo 'lighttpd_enable="YES"' >> /etc/rc.conf
mkdir /usr/local/www/data
/usr/local/etc/rc.d/lighttpd restart

Now (don't forget to restart) I am able to put stuff in /usr/local/www/data that will be served by lighttpd running inside of the jail.

*Next topic is about running fail2ban.*

You should install fail2ban and configure it to use pf.

1. Add "ban" table to pf


nano /etc/pf.conf

Add following line


ipfw add deny all from 'table(1)' to any dst-port 22 in

2. Install fail2ban


cd /usr/ports/security/py-fail2ban
make install

And enable it to autostart:


nano /etc/rc.conf

Add following line


fail2ban_enable="YES"

3. Add ssh check to fail2ban configuration


nano /usr/local/etc/fail2ban/jail.conf

Add following lines:


[ssh-ipfw]
enabled = true
filter = sshd
action = ipfw-ssh
logpath = /var/log/sshd/current
maxretry = 3

Change to following directory:


cd /usr/local/etc/fail2ban/action.d 

Copy default pf config:


cp ipfw.conf ipfw-ssh.conf

Change two lines on the new file.


nano ipfw-ssh.conf

Content:


old:
actionban = ipfw add <blocktype> tcp from <ip> to <localhost> <port>
actionunban = ipfw delete `ipfw list | grep -i <ip> | awk '{print $1;}'`

new:
actionban = ipfw table 1 add <ip>
actionunban = ipfw table 1 delete <ip>


Done.

Now fail2ban is checking the ssh service for failed logins.

*Next topic is about running an OpenVPN server.*

1. Install openvpn


cd /usr/ports/security/openvpn && make install clean
mkdir /usr/local/etc/openvpn && /usr/local/etc/openvpn

2. Enable openvpn


echo 'openvpn_enable="YES"' >> /etc/rc.conf
echo 'openvpn_configfile="/usr/local/etc/openvpn/server.conf"' >> /etc/rc.conf
echo 'openvpn_if="tun"' >> /etc/rc.conf

3. Manage ssl certs with ssl-admin


cd /usr/ports/security/ssl-admin && make install
cp /usr/local/etc/ssl-admin/ssl-admin.conf.default /usr/local/etc/ssl-admin/ssl-admin.conf
nano /usr/local/etc/ssl-admin/ssl-admin.conf

And add the information missing (state, country, city, org, ...)

And start ssl-admin


ssl-admin
=====================================================
# SSL-ADMIN #
=====================================================
Please enter the menu option from the following list:
1) Update run-time options:
Key Duration (days): 3650
Current Serial #: 04
Key Size (bits): 2048
Intermediate CA Signing: NO
2) Create new Certificate Request
3) Sign a Certificate Request
4) Perform a one-step request/sign
5) Revoke a Certificate
6) Renew/Re-sign a past Certificate Request
7) View current Certificate Revokation List
8) View index information for certificate.
i) Generate a user config with in-line certifcates and keys.
z) Zip files for end user.
dh) Generate Diffie Hellman parameters.
CA) Create new Self-Signed CA certificate.
S) Create new Signed Server certificate.
q) Quit ssl-admin

3a) Create server cert
Press "S" and enter information

3b) Create client certs
Press "4" and enter information

Check all issued certs:
ls -al /usr/local/etc/ssl-admin/active

Copy certs to openssl directory
cd /usr/local/etc/ssl-admin/active && cp ca.crt server.crt server.key /usr/local/etc/openvpn && cd /usr/local/etc/openvpn

3c) Create dh:
openssl dhparam -out /usr/local/etc/openvpn/dh2048.pem 2048

4. Create openvpn configuration:


nano /usr/local/etc/openvpn/server.conf

Content:


daemon
port 4444
proto udp
dev tun

server [YOUR-OPENVPN-SUBNET] 255.255.255.0

ca /usr/local/etc/openvpn/ca.crt
cert /usr/local/etc/openvpn/server.crt
key /usr/local/etc/openvpn/server.key
dh /usr/local/etc/openvpn/dh2048.pem

client-to-client
duplicate-cn
keepalive 10 120

user nobody
group nogroup

persist-key
persist-tun

ifconfig-pool-persist ipp.txt
comp-lzo

client-to-client
max-clients 3

push "redirect-gateway def1 bypass-dhcp"

status /usr/local/etc/openvpn/openvpn-status.log
log-append /usr/local/etc/openvpn/openvpn.log
verb 4

5. Start openvpn


/usr/local/etc/rc.d/openvpn restart

Your OpenVPN server is running.

PS: I really like ssl-admin 

That's it. A first look into the world of FreeBSD.

Hopefully I draw your interest. FreeBSD is woth it.

Next topic will be a ipv6 tunnel and how the jails can have access to it.


----------



## blergh (Nov 16, 2013)

I havent read the entire tutorial, but i would just like to give two thumbs up for content and guides like these, this is great! Lets hope we see more stuff like this in the future, great work!


----------



## vRozenSch00n (Nov 16, 2013)

@wlanboy Love your tutorial. FreeBSD is a lot more easier to install nowadays and even though slower than Linux, it is still in an ongoing development.


----------



## Echelon (Nov 17, 2013)

vRozenSch00n said:


> @wlanboy Love your tutorial. FreeBSD is a lot more easier to install nowadays and even though slower than Linux, it is still in an ongoing development.


Slower than Linux? Back up your claim. Source?


----------



## bauhaus (Nov 17, 2013)

vRozenSch00n said:


> @wlanboy Love your tutorial. FreeBSD is a lot more easier to install nowadays and even though slower than Linux, it is still in an ongoing development.


What? All *BSDs talk better with the hardware, so to speak. The only issue I have with *BSDs is their lack of specific hardware support. I have used/try openBSD, netBSD, freeBSD, and lately dragonflyBSD and pcBSD and they always ran faster and smoothly than LINUX, wich I also love btw


----------



## vRozenSch00n (Nov 17, 2013)

Echelon said:


> Slower than Linux? Back up your claim. Source?


What I mean is slower in development compared to Linux distros (I think it is related to specific hardware support). Thankfully, there are good people who develop other BSD strains: openBSD, netBSD, freeBSD, dragonflyBSD and pcBSD. 

I have Windows 8.1, Debian 7 and pcBSD in my PC and I love them all for each one uniqueness.


----------



## vRozenSch00n (Nov 17, 2013)

bauhaus said:


> What? All *BSDs talk better with the hardware, so to speak. The only issue I have with *BSDs is their lack of specific hardware support. I have used/try openBSD, netBSD, freeBSD, and lately dragonflyBSD and pcBSD and they always ran faster and smoothly than LINUX, wich I also love btw


I can concur this


----------



## wlanboy (Nov 17, 2013)

Next part IPv6!

1. Register at .tunnelbroker.net.

2. Get your tunnel running: There is a tutorial for that.

They are even providing the setup for FreeBSD but only the shell commands - no rc.conf.

So let's take a look at the commands:


ifconfig gif0 create
ifconfig gif0 tunnel ipOfYourVPS ipOfTunnelBroker
ifconfig gif0 inet6 ipv6OfYourVPS ipv6OfTheTunnelBroker prefixlen 128
route -n add -inet6 default ipv6OfTheTunnelBroker 
ifconfig gif0 up

rc.conf would look like this:


ipv6_enable="YES"
gif_interfaces="gif0"
gifconfig_gif0="ipOfYourVPS ipOfTunnelBroker"
ipv6_ifconfig_gif0="ipv6OfYourVPS ipv6OfTheTunnelBroker prefixlen 128"
ipv6_defaultrouter="ipv6OfTheTunnelBroker"
ipv6_gateway_enable="YES"
ipv6_ifconfig_gif0_alias0="2001:**:*:*::22 prefixlen 64"
ipv6_ifconfig_gif0_alias1="2001:**:*:*::33 prefixlen 64"

You can find your "Routed IPv6 Prefixes" on your "Tunnel Details" page.

This is a /64 network so about 18,446,744,073,709,551,616 IPv6 IP addresses. Enough for quite a number of jails.

You can select (and use one) by adding an alias (ipv6_ifconfig_gif0_aliasXXX).

Best thing on jails - you just have to add the ipv6 addresses:


export jail_web_ip="10.10.10.10,2001:**:*:*::22,2001:**:*:*::33"

Everything else is done automatically.

Restart your jail and everything is running. The jail does have ipv6 connectivity.


----------



## MannDude (Nov 17, 2013)

wlanboy said:


> Next part IPv6!
> 
> 1. Register at .tunnelbroker.net.
> 
> ...


Possible to post this as it's own, new tutorial?

Wealth of information!


----------



## wlanboy (Nov 17, 2013)

MannDude said:


> Possible to post this as it's own, new tutorial?
> 
> Wealth of information!


I do have a tutorial for the tunnelbroker too.

But you are right - I have added the FreeBSD part to that tutorial.


----------



## wlanboy (Nov 17, 2013)

blergh said:


> I havent read the entire tutorial, but i would just like to give two thumbs up for content and guides like these, this is great! Lets hope we see more stuff like this in the future, great work!





vRozenSch00n said:


> @wlanboy Love your tutorial. FreeBSD is a lot more easier to install nowadays.


Thank you for the feedback.


----------



## peterw (Nov 18, 2013)

Loving this beginner friendly tutorial. Great work!


----------



## wlanboy (Dec 15, 2013)

Next topic: Install OpenVPN server.

1. Install openvpn


cd /usr/ports/security/openvpn && make install clean

mkdir /usr/local/etc/openvpn && /usr/local/etc/openvpn

2. Enable openvpn


echo 'openvpn_enable="YES"' >> /etc/rc.conf
echo 'openvpn_configfile="/usr/local/etc/openvpn/server.conf"' >> /etc/rc.conf
echo 'openvpn_if="tun"' >> /etc/rc.conf

3. Manage ssl certs with ssl-admin


cd /usr/ports/security/ssl-admin && make install
cp /usr/local/etc/ssl-admin/ssl-admin.conf.default /usr/local/etc/ssl-admin/ssl-admin.conf
nano /usr/local/etc/ssl-admin/ssl-admin.conf

And add the information missing (state, country, city, org, ...)

And start ssl-admin


ssl-admin


```
=====================================================
#                  SSL-ADMIN                        #
=====================================================
Please enter the menu option from the following list:
1) Update run-time options:
     Key Duration (days): 3650
     Current Serial #: 04
     Key Size (bits): 2048
     Intermediate CA Signing: NO
2) Create new Certificate Request
3) Sign a Certificate Request
4) Perform a one-step request/sign
5) Revoke a Certificate
6) Renew/Re-sign a past Certificate Request
7) View current Certificate Revokation List
8) View index information for certificate.
i) Generate a user config with in-line certifcates and keys.
z) Zip files for end user.
dh) Generate Diffie Hellman parameters.
CA) Create new Self-Signed CA certificate.
S) Create new Signed Server certificate.
q) Quit ssl-admin
```
3a) Create server cert


Press "S" and enter information

3b) Create client certs


Press "4" and enter information

Check all issued certs:


ls -al /usr/local/etc/ssl-admin/active

Copy certs to openssl directory


cd /usr/local/etc/ssl-admin/active && cp ca.crt server.crt server.key /usr/local/etc/openvpn && cd /usr/local/etc/openvpn

3c) Create dh:


openssl dhparam -out /usr/local/etc/openvpn/dh2048.pem 2048

4. Create openvpn configuration:


nano /usr/local/etc/openvpn/server.conf

Content:


daemon
port 4444
proto udp
dev tun

server [YOUR-OPENVPN-SUBNET] 255.255.255.0

ca /usr/local/etc/openvpn/ca.crt
cert /usr/local/etc/openvpn/server.crt
key /usr/local/etc/openvpn/server.key
dh /usr/local/etc/openvpn/dh2048.pem

client-to-client
duplicate-cn
keepalive 10 120

user nobody
group nogroup

persist-key
persist-tun

ifconfig-pool-persist ipp.txt
comp-lzo

client-to-client
max-clients 3

push "redirect-gateway def1 bypass-dhcp"

status /usr/local/etc/openvpn/openvpn-status.log
log-append /usr/local/etc/openvpn/openvpn.log
verb 4

5. Start openvpn


/usr/local/etc/rc.d/openvpn restart

PS: I really like ssl-admin


----------



## wlanboy (Jan 19, 2014)

Updated the tutorial.


----------



## wlanboy (Jan 21, 2014)

Added fail2ban config for pf.


----------



## peterw (Jan 22, 2014)

Great to see the configuration of fail2ban. I forgot to install it on my kvm. Why do you only block the port?



> ipfw add deny all from 'table(1)' to any dst-port 22 in


I do block the whole ip.


```
ipfw add deny all from 'table(1)' to any
```


----------



## wlanboy (Jan 23, 2014)

peterw said:


> Great to see the configuration of fail2ban. I forgot to install it on my kvm.


Yup fail2ban is a must have. Don't alter your ssh port - that's not save at all.



peterw said:


> Great to see the configuration of fail2ban. I forgot to install it on my kvm. Why do you only block the port?
> 
> I do block the whole ip.
> 
> ...


You can - of course do this - but someone brute forcing my ssh normally only doing that and not penetrating any other services.

It just depends on the gravity you put into a incident.


----------



## Raymii (Jan 23, 2014)

Super awesome. Using Freebsd for a while now and it's tempting to just go all the way...


----------



## wlanboy (Jan 24, 2014)

So if anyone wants some service added feel free to ask.

Hopefully some other FreeBSD users will add their stuff too.


----------



## juan (Jan 25, 2014)

how about running your own xmpp server on freebsd? thanks and your tutorials really helped me alot.


----------



## wlanboy (Jan 25, 2014)

juan said:


> how about running your own xmpp server on freebsd? thanks and your tutorials really helped me alot.


I use ejabberd - would that be enough?


----------



## juan (Jan 25, 2014)

wlanboy said:


> I use ejabberd - would that be enough?


that's perfect, if you can include which port to open also on pf. thanks a lot!


----------



## wlanboy (Jan 25, 2014)

juan said:


> that's perfect, if you can include which port to open also on pf. thanks a lot!


1. Change to ports dir und build it


cd /usr/ports/net-im/ejabberd
make install

2. Change the config to what you need


nano /usr/local/etc/ejabberd/ejabberd.cfg

3. Start server and check status


/usr/local/sbin/ejabberdctl start
/usr/local/sbin/ejabberdctl status

4. Add admin user


/usr/local/sbin/ejabberdctl register [admin name] [domain] [password]

5. Autostart ejabberd


echo 'ejabberd_enable="YES"' >> /etc/rc.conf

6. Open three ports in pf for ejabberd


5222: client to server
5269: server to server
5280: http admin interface

Also:


```
nano /etc/pf.conf
```


```
tcp_pass = "{ 5222 5269 5280 }"
pass in on $external_if proto tcp from any to any port $tcp_pass flags
```


----------



## peterw (Jan 28, 2014)

Can you add information about installing a dns server on freebsd?


----------



## blergh (Jan 30, 2014)

@peterw,

It would be the exact same as running/doing it on Linux, use something like powerdns and voilá


----------



## NodeworksIX (Feb 2, 2014)

Thanks so much for this great tutorial.  I used to admin FreeBSD back in the 4.x days and haven't touched it since 5.x -- this gave me a little something to play with to get familiar with it again.  Quite a few things have changed... mostly for the better!


----------



## wlanboy (Feb 5, 2014)

NodeworksIX said:


> Quite a few things have changed... mostly for the better!


That was my first impression too.

I enjoy my FreeBSD server and want to encourage others to give FreeBSD a break.


----------



## peterw (Feb 11, 2014)

Things changed in FreeBSD 10. Why do they removed pkg_add? Any replacement known?


----------



## bauhaus (Feb 11, 2014)

peterw said:


> Things changed in FreeBSD 10. Why do they removed pkg_add? Any replacement known?


Try pkg or pkgng, not quite sure wich one is.


----------



## wlanboy (Feb 11, 2014)

peterw said:


> Things changed in FreeBSD 10. Why do they removed pkg_add? Any replacement known?


It is not part of the images - don't know why - but you can install it.



bauhaus said:


> Try pkg or pkgng, not quite sure wich one is.


Correct:


pkg
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]:

After that pkg_add is available again.


----------



## peterw (Feb 13, 2014)

wlanboy said:


> It is not part of the images - don't know why - but you can install it.


I was lost because I did  not know how to install pkg_add without pkg_add. I should have called pkg to see what happens. Thank you.


----------



## vRozenSch00n (Feb 13, 2014)

@wlanboy A little bit off topic, I need your help. I'd like to install a USB broadband CDMA modem for my PC-BSD, but the USB device is recognized as a CD/DVD. I tried Mr. Google but I can't find a tutorial. At the moment, the only way I can connect to the internet from my PC-BSD is through a router that has a connection to the internet. Could you please make a tutorial on this? Thanks.


----------



## wlanboy (Feb 13, 2014)

vRozenSch00n said:


> Could you please make a tutorial on this? Thanks.


I may first add some words and - if needed - add a tutorial later.

This is a common problem of USB modems that use Zero-CD to make the installation of drivers simple for windows users.

The device itself does add a second usb device (virtual cd) which is "flipped" if the driver is allready installed.

My modem is detected as umass0 (or ugen0 for older models).

FreeBSD 10 does have most drivers on board so add them:


nano /boot/loader.conf


```
u3g_load="YES"
umass_load="YES"
```
Then use "kldstat" to reload all modules - or simply restart the pc.

Then you are able to list all usb devices (the ones BSD knows):


usbdevs -v

port 1 addr 3: full speed, power 100 mA, config 1, USB MMC Storage(0x1000), 
Qualcomm, Incorporated(0x05c6), rev 0.00

We need two ids: vendor = *0x05c6 *and product = *0×1000*.

Now we have to check for some additional information for the SCSI device:


camcontrol devlist

<ZCOPTION HSDPA Modem 3.00> at scbus8 target 0 lun 0 (pass0,cd0)

No we have to create a config file to pass this device (like the windows driver does):


nano /etc/devd/usbmodem.conf

Content:


attach 100 {
match "device-name" "umass[0-9]+";
match "vendor" "0x05c6";
match "product" "0x1000";
match "devclass" "0x00";
action "sleep 3; /sbin/camcontrol cmd `/sbin/camcontrol devlist | /usr/bin/grep Option | /usr/bin/awk '{match($10, /pass[0-9]+/); print substr($10, RSTART, RLENGTH) }'` -c '01 00 00 00 00 00' -i 1 i1 > /dev/null";
};

The action part is the one that needs some cutting.

The command should be:


camcontrol cmd cd0 -c "01 00 00 00 00 00" -i 1 i1

Now we have to restart the dev daemon:


/etc/rc.d/devd restart
Stopping devd.
Starting devd.

Afterwards the real usb device (modem) pops up.

*Simple solution:*


Google for "disable zero-cd [modeln ame] at command"
Use windows to disable the zero-cd
Use the modem without any hassle


----------



## vRozenSch00n (Feb 14, 2014)

@wlanboy thanks a lot I'll try your directive and I'll post the result later.


----------



## wlanboy (Mar 19, 2014)

If someone is running FreeBSD on his laptop this command is the easiest way to check the battery status:


sysctl hw.acpi.battery

Output:


hw.acpi.battery.life: 100
hw.acpi.battery.time: -1
hw.acpi.battery.state: 0
hw.acpi.battery.units: 1
hw.acpi.battery.info_expire: 5

Quite easy to parse this and send notifications.


----------



## andrewm659 (Nov 26, 2014)

How would you configure it if you wanted each jail to have a routable interface on the same network as the host?  This is where i'm getting confused.



wlanboy said:


> If someone is running FreeBSD on his laptop this command is the easiest way to check the battery status:
> 
> 
> sysctl hw.acpi.battery
> ...


----------



## wlanboy (Nov 26, 2014)

andrewm659 said:


> How would you configure it if you wanted each jail to have a routable interface on the same network as the host?  This is where i'm getting confused.


Define a free IP address to your jail.

You can add the device to the IP address:


ip4.addr = re0|192.168.11.20/24;

Another option would be to define the interface:


```
export jail_web_interface="re1"
```


----------



## andrewm659 (Jul 9, 2015)

ok, would re1 be my virtual interface? 

[email protected]:~ # ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:0c:29:d1:a2:fb
        inet 10.150.1.90 netmask 0xffffff00 broadcast 10.150.1.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo10: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 10.150.1.201 netmask 0xffffff00
        inet 10.150.1.202 netmask 0xffffff00
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
[email protected]:~ #


----------



## wlanboy (Jul 9, 2015)

andrewm659 said:


> ok, would re1 be my virtual interface?


Why not?


----------



## andrewm659 (Jul 10, 2015)

Well from your previous post it looks like re1 would be physical interface....or would it?  I mean it could really be either.  So my thought process says to add it like you would to a virtual hosted apache instance.  Where you apply the IP address to the virtual host and continue to use the mgmt IP to get into the main server.  Am I right in this being the way I want to go?  Is there something I need to do to the routing on the local server?  I am still new to FreeBSD.  I like it.  it forces me to learn. 

Thanks in advance!


----------



## wlanboy (Jul 11, 2015)

andrewm659 said:


> Well from your previous post it looks like re1 would be physical interface....or would it?  I mean it could really be either.  So my thought process says to add it like you would to a virtual hosted apache instance.  Where you apply the IP address to the virtual host and continue to use the mgmt IP to get into the main server.  Am I right in this being the way I want to go?  Is there something I need to do to the routing on the local server?  I am still new to FreeBSD.  I like it.  it forces me to learn.
> 
> Thanks in advance!


I would not use any real network device for vms.

Look at my tutorial at the section of this code:


gateway_enable="YES"
cloned_interfaces="lo10"
ifconfig_lo10_alias0="inet 10.10.10.1 netmask 255.255.255.0"
ifconfig_lo10_alias1="inet 10.10.10.10 netmask 255.255.255.0"

That will create a virtual network. alias0 is for the host, additional aliases for the vms.

After that you can use pf to forward ports.


The section with following code will guide you:


# nat jail traffic
nat pass on $external_if from $NET_JAIL to any -> $IP_PUBLIC

# web forward
rdr pass on $external_if proto tcp from any to $IP_PUBLIC port $PORT_WWW -> $IP_JAIL_WWW

So all vms can access the internet but the port 80 of the host is forwarded to the vm.

Basically the same setup as the IPV6 providers. One public ip for all vms.


----------



## Abdussamad (Jul 11, 2015)

How would you rate freeBSD jails compared to other OS level virtualization in terms of security? For example compared to LXC/docker and OpenVZ


----------



## wlanboy (Jul 11, 2015)

Abdussamad said:


> How would you rate freeBSD jails compared to other OS level virtualization in terms of security? For example compared to LXC/docker and OpenVZ


That is all about fancy names and marketing. 

They all do solve different problems. The root of all solutions is chroot.

Chroot does have it's flaws but mainly because it was build just to change the "root tree" of the filesystem. No virtual network and no separate process views and other main level of virtualization.

Thats not bad because chroot startet 1982...

The real virtualization startet with FreeBSD Jails and LXC. Both had in mind to make use of userspace isolation to provide another layer of security.

Back to the features:


FreeBSD Jails:
- Stable - since BSD 4.2


- Well documented


- still envolving


- ezjail tool to help setup


- rctl for resource limits


- sysctl to limit actions of root


- ZFS file system to easily clone jails


- Hierarchical jails


- Handling of linux userspace


- Own network stack with vnet


- nullfs to link local folders to a jail

LXC
- New tech build into the kernel -> no patching


- GID and UID mapping within containers


- Unprivileged containers


- kernel namespaces - cool for storage - not so cool for networks


- cgroups for resource limits


- Great API (Docker)

Docker
- Great API


- Based on LXC (kernel namespaces and cgroups)

For me Jails and LXC have a nice feature set and are working well on every machine.


The lean approach based on kernel functionality made both solutions rocket solid.


----------



## wlanboy (Aug 3, 2015)

Update for current FreeBSD version - some parts are now easier.

freebsd-update fetch
freebsd-update install

pkg install nano
pkg install lighttpd 
pkg install bash
pkg install ezjail
pkg install py27-fail2banNow "pkg install" is the default to install precompiled packages. Named all used in the tutorial.

Notes on fail2ban - now fully supported by pf.

Add custom script for fail2ban on:


nano /usr/local/etc/fail2ban/jail.d/ssh-pf.local[ssh-pf]
enabled = true
filter = sshd
action = pf
logpath = /var/log/auth.log
findtime = 600
maxretry = 3
bantime = 3600

nano /usr/local/etc/fail2ban/action.d/pf.conf (only tablename is important to set)

```
[Definition]
actionstart = 
actionstop = 
actioncheck = 
actionban = /sbin/pfctl -t <tablename> -T add <ip>/32
actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32
[Init]
tablename = fail2ban
```

nano /etc/pf.conf

```
external_if="vtnet0"

table <fail2ban> persist
block quick proto tcp from <fail2ban> to $external_if port ssh
```

Important note: set correct external_if name


----------

