diff options
author | Ben Burwell <ben@benburwell.com> | 2019-08-05 23:39:28 -0400 |
---|---|---|
committer | Ben Burwell <ben@benburwell.com> | 2019-08-05 23:40:21 -0400 |
commit | 1baf94c686767eea75c551e1ae12c9acfb4fb98c (patch) | |
tree | ef2fabd7b30453d4f51a4a65d0d9b3b87ca18683 | |
parent | 2b8fa7b0266d846c8728a65a9fb0bdefc6d48436 (diff) |
Move FreeBSD posts to blog
-rw-r--r-- | _posts/2018-09-17-freebsd-prologue.md (renamed from freebsd.md) | 104 | ||||
-rw-r--r-- | _posts/2018-09-20-freebsd-jails.md | 79 | ||||
-rw-r--r-- | _posts/2018-10-13-freebsd-jail-networking-continued.md | 24 | ||||
-rw-r--r-- | index.md | 18 |
4 files changed, 120 insertions, 105 deletions
diff --git a/freebsd.md b/_posts/2018-09-17-freebsd-prologue.md index 7ba8995..d31104d 100644 --- a/freebsd.md +++ b/_posts/2018-09-17-freebsd-prologue.md @@ -1,11 +1,8 @@ --- title: Notes on setting up a FreeBSD home server +redirect_from: /freebsd.html --- -# Notes on setting up a FreeBSD home server - -## 2018-09-17: Prologue - A few months ago, I purchased a beefy second-hand tower to act as a home server. I was looking to bring some of the services that I was previously outsourcing into a single location, and to expand my familiarity with networking and systems @@ -21,6 +18,8 @@ administration. Specifically, I wanted to: (I've been playing around with pen testing and trying to learn more about Windows as a part of this). +<!--more--> + My initial solution was to install a free version of VMWare ESXi as a hypervisor and create several virtual machines. It was actually quite easy to get ESXi up and running and start creating VMs. For the past several months, my home network @@ -79,100 +78,3 @@ which will no doubt be helpful in my transition from pfSense to pure pf. I intend to update this page with notes as I continue on my FreeBSD journey. Stay tuned! - -## 2018-09-20: Experiment 1: Jails - -In my preparations for removing ESXi, I tried creating a simple jail on my test -box `helios`. As part of my purpose is to learn as much as possible, I decided -against using a tool like `ezjail` in favor of doing it "by hand." While the -FreeBSD Handbook has some information on creating jails without using additional -tools, pretty much every other document I found suggested using ezjail. There's -a chance I'll revisit ezjail in the future, as it seems to have some helpful -features like having a "base jail" so you only need one copy of the FreeBSD base -system, but for now I'd like to do as much as possible without additional tools. - -My goal for this experiment was to set up a simple web server (nginx) inside a -jail. To start, I edited `/etc/jail.conf` to contain the following: - -``` -www { - host.hostname = www.local; - ip4.addr = 10.0.2.202; - path = "/usr/jail/www"; - exec.start = "/bin/sh /etc/rc"; - exec.stop = "/bin/sh /etc/rc.shutdown"; -} -``` - -Next, I used `bsdinstall(8)` to install the base system instead of compiling -from source: - -``` -root@helios:~ # bsdinstall jail /usr/jail/www -``` - -I then added `jail_enable="YES"` to `/etc/rc.conf` and started the jail: - -``` -root@helios:~ # service jail start www -``` - -This took a few seconds to complete, and then the jail showed up when I ran -`jls`: - -``` -root@helios:~ # jls - JID IP Address Hostname Path - 1 10.0.2.202 www.local /usr/jail/www -``` - -I was able to enter the jail: - -``` -root@helios:~ # jexec www /bin/sh -# -``` - -But I seem not to have Internet connectivity, as attempting to use `pkg-ng` -fails: - -``` -# pkg install nginx -The package management tool is not yet installed on your system. -Do you want to fetch and install it now? [y/N]: y -Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait... -pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly/Latest/pkg.txz: Non-recoverable resolver failure -A pre-built version of pkg could not be found for your system. -Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'. -``` - -Running `ifconfig` inside the jail shows that I do not seem to have an IP -address, nor can I seem to communicate with any hosts. Interestingly when I -attempt to ping my gateway, I get the message: - -``` -ping: ssend socket: Operation not permitted -``` - -Clearly there's something I've not yet figured out. - -## 2018-10-13: Experiment 2: Jail Networking Continued - -I decided to take another crack at the jail configuration I started in -[Experiment 1](#2018-09-20-experiment-1-jails). After reading bits and pieces of -a few random websites (including various ServerFault posts), on an inkling I -added the line `interface = "bge0";` to my `/etc/jail.conf` file and ran -`service jail restart www` (`bge0` is my LAN interface on the host). After -`jexec`ing in, I tried `pkg install nginx` again and it worked like a charm! - -I also noticed that when I run `ifconfig` on my host now, both the original -10.0.2.201 and the jail's 10.0.2.202 addresses had been added to the `bge0` -interface. I wondered whether that meant that I could now SSH into the host -using the jail's IP address. So on my laptop, I ran `ssh bb@10.0.2.202` and lo -and behold, it worked. The opposite, however, is _not_ true: loading -http://10.0.2.201 in a web browser does not give me the beautiful "welcome to -nginx" page that http://10.0.2.202 has. - -I'm sure some trickier stuff will arise when dealing with NAT and multiple -interfaces, but for now I'm satisfied that I have a basic understanding of how -to set up a service in a jail and expose it to the network. diff --git a/_posts/2018-09-20-freebsd-jails.md b/_posts/2018-09-20-freebsd-jails.md new file mode 100644 index 0000000..ad860de --- /dev/null +++ b/_posts/2018-09-20-freebsd-jails.md @@ -0,0 +1,79 @@ +--- +title: "FreeBSD Experiment 1: Jails" +--- + +In my preparations for removing ESXi, I tried creating a simple jail on my test +box `helios`. As part of my purpose is to learn as much as possible, I decided +against using a tool like `ezjail` in favor of doing it "by hand." While the +FreeBSD Handbook has some information on creating jails without using additional +tools, pretty much every other document I found suggested using ezjail. There's +a chance I'll revisit ezjail in the future, as it seems to have some helpful +features like having a "base jail" so you only need one copy of the FreeBSD base +system, but for now I'd like to do as much as possible without additional tools. + +<!--more--> + +My goal for this experiment was to set up a simple web server (nginx) inside a +jail. To start, I edited `/etc/jail.conf` to contain the following: + +``` +www { + host.hostname = www.local; + ip4.addr = 10.0.2.202; + path = "/usr/jail/www"; + exec.start = "/bin/sh /etc/rc"; + exec.stop = "/bin/sh /etc/rc.shutdown"; +} +``` + +Next, I used `bsdinstall(8)` to install the base system instead of compiling +from source: + +``` +root@helios:~ # bsdinstall jail /usr/jail/www +``` + +I then added `jail_enable="YES"` to `/etc/rc.conf` and started the jail: + +``` +root@helios:~ # service jail start www +``` + +This took a few seconds to complete, and then the jail showed up when I ran +`jls`: + +``` +root@helios:~ # jls + JID IP Address Hostname Path + 1 10.0.2.202 www.local /usr/jail/www +``` + +I was able to enter the jail: + +``` +root@helios:~ # jexec www /bin/sh +# +``` + +But I seem not to have Internet connectivity, as attempting to use `pkg-ng` +fails: + +``` +# pkg install nginx +The package management tool is not yet installed on your system. +Do you want to fetch and install it now? [y/N]: y +Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait... +pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly/Latest/pkg.txz: Non-recoverable resolver failure +A pre-built version of pkg could not be found for your system. +Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'. +``` + +Running `ifconfig` inside the jail shows that I do not seem to have an IP +address, nor can I seem to communicate with any hosts. Interestingly when I +attempt to ping my gateway, I get the message: + +``` +ping: ssend socket: Operation not permitted +``` + +Clearly there's something I've not yet figured out. diff --git a/_posts/2018-10-13-freebsd-jail-networking-continued.md b/_posts/2018-10-13-freebsd-jail-networking-continued.md new file mode 100644 index 0000000..9653410 --- /dev/null +++ b/_posts/2018-10-13-freebsd-jail-networking-continued.md @@ -0,0 +1,24 @@ +--- +title: FreeBSD Jail Networking Continued +--- + +I decided to take another crack at the jail configuration I started in +[Experiment 1]({% post_url 2018-09-20-freebsd-jails %}). After reading bits and +pieces of a few random websites (including various ServerFault posts), on an +inkling I added the line `interface = "bge0";` to my `/etc/jail.conf` file and +ran `service jail restart www` (`bge0` is my LAN interface on the host). After +`jexec`ing in, I tried `pkg install nginx` again and it worked like a charm! + +<!--more--> + +I also noticed that when I run `ifconfig` on my host now, both the original +10.0.2.201 and the jail's 10.0.2.202 addresses had been added to the `bge0` +interface. I wondered whether that meant that I could now SSH into the host +using the jail's IP address. So on my laptop, I ran `ssh bb@10.0.2.202` and lo +and behold, it worked. The opposite, however, is _not_ true: loading +http://10.0.2.201 in a web browser does not give me the beautiful "welcome to +nginx" page that http://10.0.2.202 has. + +I'm sure some trickier stuff will arise when dealing with NAT and multiple +interfaces, but for now I'm satisfied that I have a basic understanding of how +to set up a service in a jail and expose it to the network. @@ -5,7 +5,17 @@ title: Ben Burwell # Ben Burwell -- [blog](/posts/) -- [theatre](/theatre.html) -- [freebsd notes](/freebsd.html) -- mail: anything you'd like @benburwell.com +- [Blog](/posts/) +- [Tech theatre](/theatre.html) +- Email: anything @benburwell.com + +**Around the net…** + +- [GitHub](https://github.com/benburwell) +- [Sourcehut](https://git.sr.ht/~benburwell) + +**Projects** + +- [HowToChooseAPassword.com](https://howtochooseapassword.com) +- [PlateZero](https://platezero.com) +- [MedicMate](https://medicmate.io) |