Here is one of the way that you can create a FreeBSD locked out environments, independent from your main system. You can use it to create some more complex environments.
Our jails will be placed in /usr/jails. Lets create first one, that we call WWW
# mkdir /usr/jails/WWW
# mkdir /usr/jails/WWW/usr/ports
Next step will be coping all nessesery files from our main system to our new jail:
# cd /usr/src
# make distribution DESTDIR=/usr/jails/WWW
# make installworld DESTDIR=/usr/jails/WWW
After we have all files, we will neet procfs and devfs and the ports tree. It will give our system all that we need.
# mount -t procfs procfs /usr/jails/WWW/proc
# mount -t devfs devfs /usr/jails/WWW/dev
# mount_nullfs /usr/ports/jails/WWW/usr/ports
Now we can go and configure our new jail. Main jail config file is /etc/rc.conf and we need to start our jail when the system is booting up.
...
jail_set_hostname_allow="YES"
jail_socket_unixproute_only="YES"
jail_socket_unixiproute_only="YES"
jail_list="WWW"
jail_WWW_rootdir="/usr/jails/WWW/"
jail_WWW_hostname="example-WWW"
jail_WWW_ip="172.16.50.10"
jail_WWW_exec_afterstart0="apachectl start"
jail_sysvipc_allow="YES"
jail_procfs_enable="YES"
jail_devfs_enable="YES"
...
And our configuration is ready. Now we set up services that we want inside our jail, for example ssh deamon. Just go and edit /usr/jails/WWW/etc/rc.conf and set this:
sshd_enable="YES"
That will allow us to log in to our jail after its boot up. Now go and change sshd config (/usr/jails/WWW/etc/ssh/sshd_config)
ListenAddress 172.16.50.10
PermitRootLogin yes
Last thing is to set the sysctl tweeks for our new WWW jail. These configuration is optional and I'm adding it only for apache2 webserver.
/etc/sysctl.conf
security.bsd.see_other_uids=0
security.jail.sysvipc_allowed=1
#Jail MiB
security.jail.allow_raw_sockets=1
security.jail.enforce_statfs=2
security.jail.sysvipc_allowed=1
security.jail.set_hostname_allowed=1
security.jail.chflags_allowed=1
#no msgbuf for jails
security.bsd.unprivileged_read_msgbuf=0
kern.ipc.shmmax=536870912
kern.ipc.semmap=256
kern.ipc.shm_use_phys=1
kern.ipc.shmall=131072
kern.securelevel=-1
kern.arandom=-239096387025170742
kern.randompid=0
kern.random.yarrow.gengateinterval=10
kern.random.yarrow.bins=10
kern.random.yarrow.fastthresh=192
kern.random.yarrow.slowthresh=256
kern.random.yarrow.slowoverthresh=2
kern.random.sys.seeded=1
kern.random.sys.harvest.ethernet=1
kern.random.sys.harvest.point_to_point=1
kern.random.sys.harvest.interrupt=1
kern.random.sys.harvest.swi=0
net.inet.ip.portrange.randomtime=45
net.inet.ip.portrange.randomcps=10
net.inet.ip.portrange.randomized=1
net.inet.ip.random_id=0
/boot/loader.conf
#Apache2
kern.ipc.semaem=32767
kern.ipc.semvmx=65534
kern.ipc.semusz=184
kern.ipc.semume=80
kern.ipc.semopm=200
kern.ipc.semmsl=120
kern.ipc.semmnu=4096
kern.ipc.semmns=8192
kern.ipc.semmni=32767
kern.ipc.semmap=60
accf_http_load="YES"
After you reboot your system, new jail should bootup as well. If any problems, please look /var/log/jail_WWW_console.log
To check if our jail is running just type
virtual!root(~)# jls
JID IP Address Hostname Path
1 172.16.50.10 WWW /usr/jails/WWW/
virtual!root(~)#
As you can see our jail has JID 1, so its a first jail in our system, another jail restart/reboot will asign another number.
To show all processess in the jail:
virtual!root(~)# pgrep -flj 1
1684 /usr/sbin/cron -s
1677 /usr/sbin/sshd
1477 /usr/sbin/syslogd -s
Init script for starting stoping jails is located here: /etc/rc.d/jail