download

System Configuration—JailsThe big exception is the RPC portmapper, which is used for the NFS protocol. Sincethere is no easy way to enforce portmapper to listen only on one IP address, thisprotocol should be completely disabled on the host server. This means that your hostoperating system cannot act as the NFS server or the client. In order to disable theRPC portmapper, the following line should be added to /etc/rc.conf:rpcbind_enable="NO"Once you finish modifying daemon configuration, you should verify the networkdaemons are bound to a single address using the sockstat(1) utility:# sockstat -4lUSER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESSroot sendmail 1611 3 tcp4 127.0.0.1 *:*root inetd 1562 5 tcp4 10.0.0.1:21 *:*root inetd 1562 6 udp4 10.0.0.1:69 *:*root sshd 832 3 tcp4 10.0.0.1:22 *:*Starting the JailNow your system is ready to perform the initial configuration of jail. This can bedone using the jail(8) utility. The jail(8) utility requires at least four parametersin the command line—jail path on file system, jail's hostname, jail's IP address, andthe command that you want to run in jail.In order to start the jail manually the first time, you should run thefollowing command:# jail /usr/jails/webserver1 webserver1 10.0.0.2 /bin/shThis command runs the bourne shell inside your jail. From here, whatever you doaffects your jail only. To verify that you are actually inside the new jail, use thefollowing command:# uname –awebserver1There are a few steps that should be taken before the jail is ready to roll:• Set up /etc/rc.conf so the jail does not configure the network interface. Thefollowing line should be added to /etc/rc.conf:network_interfaces=""• Set up your DNS servers in /etc/resolve.conf to name resolution workscorrectly inside the jail.• Set the time zone using the tzsetup(8) utility.[ 80 ]