Packet Filter
Tip
Not all network options have packet filtering as a requirement, so you can skip this section if you are unsure. This section will be mentioned when necessary.
PF
AppJail uses anchors like other applications that use pf(4)
as a backend. Just enable pf(4)
in rc.conf(5)
, put the anchors in the pf.conf(5)
file and reload the rules.
# Enable pf(4):
sysrc pf_enable="YES"
sysrc pflog_enable="YES"
# Put the anchors in pf.conf(5):
cat << "EOF" >> /etc/pf.conf
nat-anchor "appjail-nat/jail/*"
nat-anchor "appjail-nat/network/*"
rdr-anchor "appjail-rdr/*"
EOF
# Reload the pf(4) rules:
service pf reload
# Or reboot if you don't have pf(4) started:
service pf restart
service pflog restart
Host configuration
Some network options need to forward packets (IPv4) between interfaces, so it is necessary to change some options.
# sysrc
sysrc gateway_enable="YES"
# sysctl
sysctl net.inet.ip.forwarding=1
Default interfaces
Some network options require EXT_IF
and ON_IF
to be set in your AppJail configuration file. AppJail uses EXT_IF
as the external interface that is normally used to obtain its IP address. The firewall uses ON_IF
to operate on this interface.
AppJail obtains the default interface, when EXT_IF
is not configured, from IPv4 routes, if it fails, it tries again using IPv6 routes, if it fails, an error is displayed. If it succeeds, the obtained interface is used. If ON_IF
is not defined, the EXT_IF
value is used.
Some options may use different interfaces if specified by the user.
Tip
It is highly recommended to configure EXT_IF
and ON_IF
to improve performance
and make your environment much more stable.