Setup jails in FreeBSD!

FreeBSD 4.x:
-start sysinstall, change the install root to /usr/jail/_world, do a minimum install
-move to /usr/jail/_world
-change etc/rc.conf, etc/ssh/sshd_config and etc/make.conf to remove unnecesary things and set ip address
-create /dev/null link to /boot/kernel/kernel, /etc/fstab
-create the jail directory, /usr/jail/www
-move to /usr/jail/_world, do pax -rw -pe . ../www
-move to /usr/jail/www
-change etc/rc.conf and etc/ssh/sshd_config to set the hostname and ip address
-run mount_devfs devfs /usr/jail/www/dev
-run jail /usr/jail/www www.domain.org 192.168.x.x /bin/sh /etc/rc
-set passwd root, add user
-logout
-mkdir usr/ports
-mount_nullfs /usr/ports /usr/jail/www/usr/ports
-login to jail with ssh
-add applications to run within the jail like apache, pure-ftpd, etc...

FreeBSD 6.x:

Changes to /usr/local/etc/rc.d/ezjail.sh script;

To have the script add/remove the ip address alias automatically when starting the jail;
(replace vr0 with the network card of the server, if needed the /24 subnet as well)

Add to the eval list in the function do_cmd();

eval ezjail_ip=\"\$jail_${ezjail}_ip\"

just before eval ezjail_rootdir=\"\$jail_${ezjail}_rootdir\"

And change the part after the done command;

# add the alias ip address
/sbin/ifconfig vr0 inet $ezjail_ip/24 alias

# Pass control to jail script which does the actual work
[ "${ezjail_pass}" ] && sh /etc/rc.d/jail one${action%crypto} ${ezjail_pass}

# extra time for jails to settle
sleep 5

# remove the alias ip address
if [ "${action}" = "stop" ]; then
/sbin/ifconfig vr0 inet $ezjail_ip/24 -alias
fi

The /etc/rc.conf with port restrictions on the host:

# enabled flags in case inetd, rpc or portmap gets started on boot
inetd_flags="-wW -a 192.168.xxx.xxx"
rpcbind_flags="-h 192.168.xxx.xxx"
portmap_flags="-h 192.168.xxx.xxx"
nfs_server_flags="-u -t -n 4 -h 192.168.xxx.xxx"
mountd_flags="-rnp 112"
sendmail_enable="none"

Add rc.conf to /usr/jails/newjail/etc with;

hostname="xxx"
#
sshd_enable="yes"
sendmail_enable="none"
#

Change /usr/jails/newjail/etc/ssh/sshd_config and /etc/ssh/sshd_config to listen only on the assigned ip address:

AddressFamily inet
ListenAddress 192.168.xxx.xxx

Reduce /usr/jails/newjail/etc/motd to only the first line (optional).

Adding packages to the jail

Build a fat jail the traditional FreeBSD way (not with ezjail). Setup make.conf and cvsup for cvs updates to ports, then add the packages with the make package-recursive command. In case a package like djbdns is restricted, comment out the no_package line in the makefile.

On the host;
Replace the usr/ports softlink in the jail with a normal directory, add the packages subdirectory, mount_nullfs the /usr/ports/packages directory on the host to /usr/jails/-jailname-/usr/ports/packages, or do a nfs mount on /usr/jails/-jailname-/usr/ports/packages if the jail is on another server.
On the jail;
Move to the /usr/ports/packages/All directory and add the package with pkg_add -packagename-.
After the installation unmount the ports directory.

notes:

Nullfs must be compiled in the kernel or loaded as a module.
When using portupgrade in the jail through a proxy add;
FETCH_ENV=FTP_PROXY=ftp://proxy:port
FETCH_ENV=FTP_PROXY=ftp://proxy:port
to /etc/make.conf.