4.3 Jail 環境での変更

• Jail起動時にepairxaを生成する措置を書く

  root@a:~ # diff -u /usr/local/etc/ezjail.org/ns.bak  /usr/local/etc/ezjail/ns
  --- /usr/local/etc/ezjail.org/ns.bak    2023-03-07 15:45:21.048360000 +0900
  +++ /usr/local/etc/ezjail/ns    2023-03-07 15:47:51.446626000 +0900
  @@ -30,7 +30,8 @@
   export jail_ns_post_start_script=""
   export jail_ns_retention_policy=""
   export jail_ns_exec_prestart0="ifconfig epair1 create up"
  -export jail_ns_exec_poststart0="ifconfig epair1a vnet ns"
  -export jail_ns_exec_poststart1="jexec ns /sbin/ifconfig epair1a 192.168.1.1/24"
  +export jail_ns_exec_poststart0="jexec ns /sbin/ifconfig epair1a 192.168.2.254/24"
  +export jail_ns_exec_poststart0="ifconfig epair1b vnet ns"
  +export jail_ns_exec_poststart1="jexec ns /sbin/ifconfig epair1b 192.168.2.1/24"
  -export jail_ns_exec_poststart2="jexec ns /sbin/route add default 192.168.1.254"
  +export jail_ns_exec_poststart2="jexec ns /sbin/route add default 192.168.2.254"
   export jail_ns_exec_poststop0="ifconfig epair1a destroy"
  root@a:~ # 

  • jail内のネットワークは192.168.2.0/24セグメントに変更
  • ns jailは192.168.2.1の"VPNマシン"となる

• Jailは単なるルータとする

  root@a:~ # cat /usr/jails/ns/etc/rc.conf
  firewall_enable="YES"
  firewall_type="open"
  root@a:~ # 

• sshを通す

  • sshdの起動を追加

    root@a:~ # diff -u /usr/jails/ns/etc/rc.conf.bak  /usr/jails/ns/etc/rc.conf
    --- /usr/jails/ns/etc/rc.conf.bak       2023-03-09 09:32:17.822578000 +0900
    +++ /usr/jails/ns/etc/rc.conf   2023-03-08 14:34:57.506350000 +0900
    @@ -1,2 +1,3 @@
     firewall_enable="YES"
     firewall_type="open"
    +sshd_enable="YES"
    root@a:~ # 

  • ListenAddressの変更

    root@a:~ # diff -u /usr/jails/ns/etc/ssh/sshd_config.bak /usr/jails/ns/etc/ssh/sshd_config
    --- /usr/jails/ns/etc/ssh/sshd_config.bak       2023-03-09 09:36:31.888349000 +0900
    +++ /usr/jails/ns/etc/ssh/sshd_config   2023-03-08 14:42:08.215268000 +0900
    @@ -15,7 +15,7 @@
     
     #Port 22
     #AddressFamily any
    -ListenAddress 192.168.1.1
    +ListenAddress 192.168.2.1
     #ListenAddress ::
     
     #HostKey /etc/ssh/ssh_host_rsa_key
    root@a:~ # 

  • NATルールの変更

    root@a:~ # diff -u /etc/ipfw_nat.rules.bak  /etc/ipfw_nat.rules
    --- /etc/ipfw_nat.rules.bak     2023-03-09 09:49:19.276328000 +0900
    +++ /etc/ipfw_nat.rules 2023-03-09 09:41:36.135634000 +0900
    @@ -2,7 +2,7 @@
     redirect_port  tcp 192.168.1.4:80      80
     redirect_port  tcp 192.168.1.5:21      21
     redirect_port  tcp 192.168.1.254:22    22
    -redirect_port  tcp 192.168.1.1:22      22042
    +redirect_port  tcp 192.168.2.1:22      22042
     redirect_port  tcp 192.168.1.2:22      22053
     redirect_port  tcp 192.168.1.3:22      22025
     redirect_port  tcp 192.168.1.4:22      22080
    root@a:~ #