References:

FreeBSD Handbook: Chapter 15. Jails

FreeBSD jails with a single public IP address

Install ezjail:

pkg install ezjail

Jail Template Installation:

We’re gonna setup a base template for our jail to use.

ezjail-admin install

Enable ezjail on boot:

sysrc ezjail_enable="YES"

Let’s start the ezjail service:

service ezjail start

Create an interface for jails to use:

sysrc cloned_interfaces="lo1"
sysrc ipv4_addrs_lo1="10.60.0.1-9/29"

Bring the interface up:

service netif cloneup

Create a New Jail:

I’m going to be creating a Jail just for security functions, so I’ll be referring to it as security.

ezjail-admin create security 10.60.0.2

Configure pf to allow traffic for the jail:

Add the following to /etc/pf.conf:

jail_if="lo1"
jail_host_ipv4="10.60.0.1"
jail_security_ipv4="10.60.0.2"

To allow outbound network connections from the jails:

nat on $ext_if from $jail_if:network to any -> ($ext_if)

If you need to port forward an external port to a service running in the jail add the following to /etc/pf.conf:

rdr on $ext_if proto tcp from any to $ext_if port $tcp_port -> $jail_security_ipv4

Apply your changes to pf:

service pf restart

Setup /etc/resolv.conf:

cp /etc/resolv.conf /usr/jails/security/etc/resolv.conf

Start the jail:

ezjail-admin start security

Access the Jail:

Run the following command to get a shell in the jail:

ezjail-admin console security