The I.T Massive!

I've been looking at a neat little program that is part of PC-BSD called The Warden. With this program is very easy to setup and manage FreeBSD jails. The Warden supports pre packaged software that can be installed into jails called Inmates. In this example I will be using the Joomla Inmate package that installs Joomla, Apache, MySQL and PHP in a short space of time.

Installing The Warden

The Warden is installed on PC-BSD via the PBI system. Once the The Warden .pbi file has been downloaded to the computer it is a simple matter of double clicking the file which will ask to be run as root. You would need to enter your root password so the package as permission to install and then click ok.

The PBI package installation will now start with an install wizard that will be familiar to Windows users. You will be asked to pick a installation directory, most people will be happy with the default directory and should just click next. However if you wish you can change the directory here.

After this you can pick if you want an entry in the start menu or an icon on the desktop. Most people will want both installed so they can just leave the default setting and click next. After this the install proccess is finished and the installer will exit.

Running The Warden

The Warden can be run from the desktop or the application menu. It will ask for root privileges as without you'll be unable to use the software correctly.

The first part of creating a new jail is shown below which you have to enter the IP address that the jail will be available from. The system source and ports tree may be required for some jails, they can be installed from the system components tab of the Software & Updates tool.

The final part of the jail setup requires the root user password and the normal user name and password. The normal user is used to access the jails as the root account can't be accessed directly by remote hosts.

Autostart is an important feature that starts the jail when the system boots which is very useful. The autostart feature is not dependant on the GUI for its operation. The Inmate file (.wit files) can be installed into an existing jail by right clicking the jail and selecting the install Inmate option. Working jails can also be exported to .wdn file for transfer between systems by right clicking the jail and selecting the export to .wdn file option.

When installing an Inmate file to a jail it may ask you for some additional setup stages like shown below.

The jail acts just like a separate networked system that is accessible by a separate IP address from the base system. To access the programs that are in the jail you need to connect to the IP address you entered when you set up the jail.

The default configuration of PC-BSD 7.1 blocks all incoming traffic (except Samba) by default so there is no need to worry about external access. External network access is detailed in a section below. Below is an image of a client accessing the jailed web server running Joomla! from the base system, click the image to enlarge.

Configuring Remote Access

As the default firewall configuration in PC-BSD is set to only allow incoming Samba file sharing traffic and to permit all outgoing traffic, we must allow ports through to get access on other computers. Thanks to the firewall configuration program in the KDE system settings this is very simple. You only need to create rules to permit access to services that you need to be accessible over the network. In my example I permitted both port 80 (HTTP) and port 22 (SSH). Remember to restart the firewall after making any changes. After restarting the firewall you should be able to access jailed services over your local network.

Manual Installation in Jails

The jail can be accessed by SSH with the normal user account created when the jail was made which can used as a limited account or used to elevate to the root account. From the root shell programs can be installed and configured through the standard FreeBSD tools. More information on installation of programs in this manner can be found here.

Conclusion

The Warden/FreeBSD Jails is one of the reasons that I use PC-BSD/FreeBSD. One possible use on the desktop would be a web application developer that wants to keep all the server programs out of the base system and possibly share access with a friend you don't fully trust. I use The Warden for a similar role personally and I like the fact that at any point I can just stop, move or delete the jail to make the services go away.

With The Warden GUI it makes the FreeBSD jails technology more accessible to the users on the desktop and there is little reason not to use it if your setting up a server for your network. If you are a bit paranoid about security this may help you sleep at night. Overall I was impressed with the simplicity of using the software with the initial importing of the Inmate file the only issue that came up. However I would like to see a little more visual feedback in the output particularly in the creation of jails. I would be happy to recommend The Warden to other security minded friends that are starting with BSD.