Last active
December 9, 2020 17:54
-
-
Save paulc/79e28a7b4a558001e10cb1851def3bd8 to your computer and use it in GitHub Desktop.
IPv6 Jail
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| allow.set_hostname=false; | |
| allow.raw_sockets; | |
| allow.socket_af; | |
| allow.sysvipc; | |
| allow.chflags; | |
| mount.devfs; | |
| devfs_ruleset = 4; | |
| sysvmsg = new; | |
| sysvsem = new; | |
| sysvshm = new; | |
| enforce_statfs = 2; | |
| children.max = 0; | |
| osrelease = 12.2-RELEASE; | |
| exec.clean; | |
| persist; | |
| host.hostname = "${name}.shell.pchak.net"; | |
| base { | |
| exec.prepare = ""; | |
| exec.prestart = ""; | |
| exec.start = "/bin/sh /etc/rc"; | |
| exec.poststart = ""; | |
| exec.release = "zfs snap zroot/jail/base@$(date +%s)"; | |
| path = "/jail/base"; | |
| ip6.addr = "vtnet0|2a01:4f8:c010:26a1::ffff:1/128"; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| allow.set_hostname=false; | |
| allow.raw_sockets; | |
| allow.socket_af; | |
| allow.sysvipc; | |
| allow.chflags; | |
| mount.devfs; | |
| devfs_ruleset = 4; | |
| sysvmsg = new; | |
| sysvsem = new; | |
| sysvshm = new; | |
| enforce_statfs = 2; | |
| children.max = 0; | |
| osrelease = 12.2-RELEASE; | |
| vnet = new; | |
| exec.clean; | |
| persist; | |
| path = "/jail/${name}"; | |
| $zroot = "zroot"; | |
| $base = "${zroot}/jail/base"; | |
| $subnet = "2a01:4f8:c010:26a1:3000"; | |
| $ip_b = "${subnet}::${id}/96"; | |
| $default_route = "${subnet}::ffff"; | |
| host.hostname = "${name}.shell.pchak.net"; | |
| vnet.interface = "epair${id}b"; | |
| exec.prepare = "zfs clone $(zfs list -Hrt snap -s creation -o name ${base} | tail -1) ${zroot}${path}"; | |
| exec.prestart = "ifconfig epair${id} create"; | |
| exec.prestart += "ifconfig epair${id}a up"; | |
| exec.prestart += "ifconfig bridge0 addm epair${id}a"; | |
| exec.start = "sysrc ifconfig_epair${id}b_ipv6='inet6 ${ip_b}'"; | |
| exec.start += "sysrc ipv6_defaultrouter=${default_route}"; | |
| exec.start += "sysrc sshd_enable=yes"; | |
| exec.start += "sysrc sshd_flags='-o PermitRootLogin=prohibit-password'"; | |
| exec.start += "( umask 077 ; mkdir /root/.ssh; echo ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZuNFcgvSfMVHWjJpDCc1IFgUx2b2impbD+g5hpPJ60 > /root/.ssh/authorized_keys )"; | |
| exec.start += "sh /etc/rc"; | |
| exec.poststart = "printf 'zone-begin --\nzone-set -- %s 30 AAAA %s\nzone-commit --\n' ${name} ${subnet}::${id} | knotc"; | |
| exec.release = "zfs destroy -f ${zroot}${path}"; | |
| exec.release += "ifconfig epair${id}a destroy"; | |
| exec.release += "printf 'zone-begin --\nzone-unset -- %s\nzone-commit --\n' ${name} | knotc"; | |
| j001 { $id = 1; } | |
| j002 { $id = 2; } | |
| j003 { $id = 3; } | |
| j004 { $id = 4; } | |
| j005 { $id = 5; } | |
| j006 { $id = 6; } | |
| j007 { $id = 7; } | |
| j008 { $id = 8; } | |
| j009 { $id = 9; } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Secondary | |
| server: | |
| rundir: "/var/run/knot" | |
| user: knot:knot | |
| listen: [ 2a01:4f8:c010:26a1:1000::1@53 ] | |
| log: | |
| - target: syslog | |
| any: info | |
| database: | |
| storage: "/var/db/knot" | |
| # hmac-sha256:axfr_key:... | |
| key: | |
| - id: axfr_key | |
| algorithm: hmac-sha256 | |
| secret: ... | |
| acl: | |
| - id: acl_notify | |
| address: 2a01:4f8:c010:26a1:1000::1 | |
| key: axfr_key | |
| action: notify | |
| remote: | |
| - id: primary_ns | |
| address: 2a01:4f8:c010:26a1::1@53 | |
| key: axfr_key | |
| zone: | |
| - domain: shell.pchak.net | |
| master: primary_ns | |
| acl: acl_notify |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| zfs_enable="YES" | |
| clear_tmp_enable="YES" | |
| syslogd_flags="-b 127.0.0.1 -b 10.192.0.1 -a 10.192.0.0/10" | |
| sendmail_enable="NONE" | |
| hostname="shell.pchak.net" | |
| ifconfig_vtnet0="DHCP" | |
| sshd_enable="YES" | |
| # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable | |
| dumpdev="AUTO" | |
| hcloud_enable="YES" | |
| sshd_flags="-o PermitRootLogin=prohibit-password -o ListenAddress=shell" | |
| # Ensure default IPv6 interface is configured with prefixlen 128 | |
| ifconfig_vtnet0_ipv6="inet6 2a01:4f8:c010:26a1::1 prefixlen 128" | |
| ipv6_defaultrouter="fe80::1%vtnet0" | |
| # Enable PF | |
| pf_enable="YES" | |
| pflog_enable="yes" | |
| # Enable routing | |
| gateway_enable="yes" | |
| ipv6_gateway_enable="yes" | |
| # Configure NAT64 interfaces/routing | |
| cloned_interfaces="tun0:sticky bridge0" | |
| ifconfig_tun0="inet6 -ifdisabled auto_linklocal up" | |
| ifconfig_bridge0="inet6 2a01:4f8:c010:26a1:3000::ffff/96" | |
| static_routes="nat64_ip4" | |
| ipv6_static_routes="nat64_ip6 nat64_nat" | |
| route_nat64_ip4="-net 192.168.255.0/24 -iface tun0" | |
| ipv6_route_nat64_ip6="-host 2a01:4f8:c010:26a1:2000::1/128 -iface tun0" | |
| ipv6_route_nat64_nat="-net 64:ff9b::/96 -iface tun0" | |
| # Enable tayga | |
| tayga_enable="YES" | |
| tayga_ipv6_addr="2a01:4f8:c010:26a1:2000::1" | |
| knot_enable="YES" | |
| knot_config="/usr/local/etc/knot/knot.conf" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| tun-device tun0 | |
| ipv4-addr 192.168.255.1 | |
| ipv6-addr 2a01:4f8:c010:26a1:2000::1 | |
| dynamic-pool 192.168.255.0/24 | |
| prefix 64:ff9b::/96 | |
| data-dir /var/db/tayga |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment