How to really add a plugin to WordPress manually

You’d have thought that a google search for “manually add plugin to WordPress” would turn up lots of articles on how to do this, but, er, no. They all seem to tell you to log in to the site and do this or that on the GUI. That’s not doing it manually – it’s using the GUI. If the GUI doesn’t work, then you need to do it manually. Here’s how:

The method is actually simple if you remember it. You download the plugin from the site (e.g. https://wordpress.org/plugins/) and you’ll end up with a DOS/Windows .ZIP file. Unpack this any way you wish and you’ll get a directory with some file in it. As a sanity check, one of these files will have the same name as the directory, but ending in .php.

Take this whole directory and copy it to /wp-content/plugins. That’s the directory – not the files in the directory.

That’s it. You’re done. It’ll appear in the plugins dashboard.

Wicked Parents let Kid Survive on Walkers Crisp Diet!

If the parents have done anything wrong it’s going public, putting themselves in the firing line for abuse from the ignorant. This may seem a simple case of bad parenting to people who know very little about mental illness or children.

The fact is that when a child (or adult) has it in their head that they’ll only accept certain things as food you have no choice but to give it to them. No choice apart from force feeding, that is. And force feeding someone in that condition isn’t going to cure them off it; make them worse more likely.

And while we’re at it, don’t think of blaming the parents for allowing their child to get into this mental state. It happens in the “best” of families and in otherwise perfectly normal adults.

Sometimes we call a firmly held belief in something that isn’t true, based on available evidence, psychosis. But we’re not consistent. In fact, certain groups see such beliefs as virtuous. A believer in the existence of a supreme being is described as pious. Fringe political group work on conspiracy theory too, sometimes breaking their nonsense into mainstream thought. We know communism doesn’t work, but some will keep the red flag flying based on all sorts of excuses that it just hasn’t been done right before.

Meanwhile another group have convinced themselves that Covid-19 is some kind of hoax. It’s a widespread problem, and not just in uneducated communities; a quick look at the evidence is all you need to prove otherwise, but using selection they can make a case that’s good enough for them.

If your misplaced belief has an appropriate number of adherents it becomes a religion or political movement, and gets equal air time on the BBC. People use the idea that if others agree with them, they must be right and no contrary evidence is considered. It was probably made up by those seeking to undermine the “truth” anyway.

If, however, you alone believe there are aliens living in the house next door, you have a psychotic disorder.

So, before we jump to conclusions about mental illness, and in particular psychotic beliefs, perhaps we should first evaluate what we believe against the evidence.

Christmas Come Early for Scammers – Thanks Microsoft

As a reminder that Microsoft never lets security considerations get in the way of a Good Idea, it’s emailed 50,000 gift cards to random addresses it has on file. To quote:

To help spread holiday cheer, Microsoft Store has surprised a total of 50,000 U.S. customers with virtual gift cards via email. 25,000 customers will receive a $100 Microsoft Gift Card while 25,000 others will receive a $10 Microsoft Gift Card ahead of this holiday season. These randomly selected recipients can redeem their gift card on Microsoft Store through December 31, 2021 and spend it within 90 days of redemption

Publications in the US are advising punters to check their spam folder in case they’ve got an e-voucher for free Microsoft goodies. Presumably these email address are of lusers with a Microsoft account of some kind.

With the media coverage starting to appear in the US, anyone phishing for Microsoft account credentials now has the perfect social engineering exploit, available between now and the New Year. Nice one Microsoft.

Let’s have a serious talk about lorry drivers.

Every news outlet and fool politician is banging on about the idea that Brexit has led to a shortage of 100,000 lorry drivers in the UK. This story is too good to check for those still smarting over the lost referendum, or have some other axe to grind. Unfortunately for them, I have checked the story, and it’s a pretty shabby state of affairs.

Let’s start with this figure of 100,000. It comes from the Road Haulage Association, a lobby group. And they claim to have calculated it.

When pushed, it all gets a bit vague, and it might surprise you to know that they were claiming a shortage of 50,000 in 2015 – before anyone had heard of Brexit. They always claim a shortage of about this number. They say it was calculated by surveying their members, and other means – such as looking at vacancies. They also subtract the number of drivers registered with them from the number of lorries registered with the DVLA and add that. Seriously.

Tesco has recently stated it needs another 800 drivers. A quick look at their staff vacancies adverts shows they’re actually looking for just three.

Richard Walker from Iceland, another arch-Europhile, has taken the opportunity to get his mug into newspapers by talking about “Cancelling Christmas”. This is the same Richard Walker who gets publicity for environmental initiatives yet flies around in a private helicopter.

The Road Haulage Association will also tell you there are about 600,000 lorry drivers in the UK. The Office for National Statistics, which knows what people do for a living, reckons there are half that number. Again, the RHA is counting the wrong thing – HGV licenses. Just because someone has an HGV license it doesn’t mean they’re actually a lorry driver. Many people, myself included, have one so I can hire a lorry when I need one – such as for transporting stuff to Scout camps. At the time I got it, the cost was £70. It’s not unreasonable to want to drive something large privately.

Another group with HGV licenses are firemen. Those big red things they drive around in are too big to be classified as cars, so they do the HGV test. I believe Princess Anne had one once, so she could drive large horse boxes.

So I’m not going to take anything the Road Haulage Association takes seriously until they use better methods for obtaining their statistics. It’s almost as if they had an agenda. Actually… it’s a lobby group and its head – Richard Burnett – is a long-time campaigner against Brexit (and by extension the present government).

So what is the truth of the matter if you go to a sober source such as the ONS for figures? There is indeed a shortage of HGV drivers – they say the number has dropped by 55,000 in the last 18 months, of which 47,000 were the last year. However, this isn’t caused by Brexit. In Q2 2020 there were 25,000 EU drivers working in Britain; a year later there are 24,350. This is about the same as the 2015 figure. There was, however, a blip in numbers, peaking at 42,460 – and that happened after Brexit. This fell as drivers returned home during the pandemic; boring but true. And it’s only a minor factor in the current shortage. About 12,500 lost drivers out of 55,000 (18%) were EU nationals. Every country across Europe is reporting similar shortages, apart from Romania as far as I can tell. They’re also complaining in the USA; as far away from Brexit as you can get.

In reality, far the largest drop in working driver numbers comes from retirement – or more accurately leaving to find other jobs. It’s as simple and boring as that. But the story doesn’t end there, as it’s also been claimed that more people are retiring than passing tests. Unfortunately the figures don’t bear this out either.

In 2010-2014 there were 15,500 new licenses issued, with 7500 retiring. In the second half of the decade there were 25,500 new licenses and 8600 retiring. The fact is that there are 230,000 licensed drivers under the age of 45 alone in the UK who are choosing not to drive commercially. They’ve got fed up and taken other jobs, or are using the license privately. The average age of British lorry drivers is now about 55, clearly pointing to trouble ahead.

If you want to figure out what’s going on behind the headlines, and the Twitter experts who have never even driven a lorry in their lives, you eventually end up following the money. In this case the RHA (a lobby group, remember) is making the case for the government to favour their sector. Of course they’re going to highlight any problem, and demand the government does something about it – and more specifically, throw money at it. The thing is that the logistics industry hires their own strategic planners; experts in the field of logistics. They should have seen this coming and done something about it, instead of bleating for the government to bail them out now.

The truth may be simple; if the pay and conditions for lorry drivers were better, more people would do it. And that’s entirely up to the logistics companies to solve. Some have undoubtedly been using cheap foreign labour in the last few years, which has gone home during the pandemic – and they’re the ones that have been hit the worst. And now they want the taxpayers to bail them out for having treated their drivers badly.

Update

Now we’re being told that 5000 visas are being made available to hire in foreign drivers. That’s great. But why would foreign drivers from the EU even want to work here? There’s a shortage across Europe, and they have better conditions working there. France, Germany and Belgium have laws that mean drivers don’t have to work on Sundays. And if you’ve ever compared a French and British transport cafes, the continentals win hands-down.

Update 2

So now Richard Burnett (RHA) has started panic buying of fuel by claiming there was going to be a shortage due to the lack of tanker drivers, and the hysterical media has picked it up. I’m sure the timing has nothing to do with the Labour Party conference.

Sources:

All figures in this article come from the Office for National Statistics, the Road Haulage Association or European/American government sources. I’ll make the ONS spreadsheets (the reliable stuff) available when I can figure out how.

A solution to the Scottish Nationalism problem

Salmond and Sturgeon: What is the controversy all about? - BBC News

Nationalism is like religion; it’s a matter of emotion rather than logic. Occasionally it make sense to create a new country as a means of protecting a race of people from racist attitudes found elsewhere, but other than that, there’s very little point in having new countries.

National identity is an emotional lever used by scoundrels to control populations throughout history. In western Europe it’s taken over from religion as the best way to manipulate the emotions of a population, and it’s seldom used for good.

The National Socialists in Germany use racism and nationalism to unite the population for a common purpose. Britain used nationalism to stand up against fascism, rather than joining what was a European movement. Germany, Italy and Spain were fully fascist. France was largely fascist (although airbrushed from history after the war). Belgium and Holland were inconsequential.

So nationalism has its uses, but more often these uses are evil.

Nationalism doubtless played its part in the Brexit debate. The UK was half-in the EU and voted for full-out. Was this a tribal desire to avoid be subsumed into a forthcoming European super-state for emotional reasons, or a distrust of the “former” European fascists and communists? Probably a bit of both.

And this brings us to Scottish Nationalism. This is very different from Brexit. Scottish independence is about a major change to the status quo. Brexit was about future direction; the status quo wasn’t on the ballot as the EU is mutating; expanding its powers and geography. It wasn’t what we signed up for in 1975.

The Scottish Nationalists want a self-governing Scotland based on communist principles. Scottish politics is like that. Whether they’re rational or not isn’t the question here; the situation exists and a high proportion of the people living there want this at an emotional level; pathos trumps logos.

So what is the rest of the UK to do about this? We had a once-and-for-all referendum to settle the question in 2014, during which the Cameron government basically bribed the Scottish people with disproportionate funding and won the day. (The people of England, who had to pick up the tab, weren’t consulted).

Broadly speaking the main political parties are split. The Conservative and Unionist party, to give them their full name, is obviously unionist on principle. The Labour party is less sure. Blair started the process towards independence (termed “devolution”) for Wales, Scotland and Northern Ireland in 1997, as soon as he came to power. Or was this an electoral bribe that went wrong? You’d have to think Blair pretty stupid and reckless if that were the case, although this has been said of him in other areas.

Either way, both Cameron and Blair tried to buy off the nationalists one way or another, and it has simply emboldened them. Being granted and losing a referendum changed nothing.

We need a new plan. It would be possible for England to say simply say “We’ve had enough – get into line or leave”. The Conservatives won’t do that, and Westminster in general recoils at the idea of an English a referendum on splitting from Scotland as they know what the result would be.

The Conservatives are being governed by noble motives here. It’s obvious that without Scotland they’d have a permanent majority in the House of Commons. It’s equally obvious that Labour would become the permanent opposition, which amply explains their opposition to Scottish independence.

The final point in this preamble brings us back to Brexit, or more specifically the lessons learned. As soon as the result was known, the Remain camp started waving their arms about shouting “The people didn’t know what they were voting for!”

This is true on many levels. Much of Leave was playing the nationalist card, and Remain was telling the world the sky would fall if we left. Both were outright liars. But it was also very true to say that the referendum was a simple in/out question and no one knew what “out” meant. (No one was keen to explain what “in” meant going forward either).

To those of us watching this disaster, and the ensuing years of recrimination, it was obvious that an in/out referendum was a spectacularly bad idea and should never have taken place. People really didn’t know what they were voting for; they assumed we’d have a trading deal with the EU, and this was the key. Remain said it was impossible. Leave said it was inevitable. No one knew.

So, another Scottish Independence referendum like the 2014 one is clearly a bad plan. There are two possible outcomes:

Leave: Years of argument about the terms and what to do next.

Stay: Years or argument for another bite of the cherry.

Here’s a better way.

If the Westminster government was smart it could deal with this by playing the Nationalists at their own game. Grant them another referendum, but not on independence. Give the Nationalists three years to negotiate an independence treaty, and one with the EU while they’re at it. Then put that treaty to a referendum.

My guess would be that simple-minded nationalism may melt away when the reality of what they’re being sold sinks in. The Scottish people are being sold a pig in a poke right now.

As part of the deal to hold a referendum, Westminster should withdraw the bribes given by Cameron in 2014. Scotland should get its fair share of funding, and not a penny more. The Nationalists deny they’re being subsidised, so how could they object?

If Scotland would really be better off independent from the UK then fair enough. However, there are plenty of people in Scotland who don’t want a communist-inspired local government, or haven’t realised it yet, and the UK has a duty to protect them.

The Scottish Nationalists don’t think ahead, so the UK should force them to explain to the people of Scotland exactly what they’d be voting for if they chose independence. The Nationalist voters aren’t going to listen to the facts from anyone else. It’s easy to sell flag-waving nationalism; less easy to sell economic reality.

Minecraft server in a FreeBSD Jail

You may have no interest in the game Minecraft, but that won’t stop people asking you to set up a server. Having read about how to do this on various forums and Minecraft fan sites (e.g. this one) I came to the conclusion that no one knew how to do it on current FreeBSD. So here is how you do it, jailed or otherwise.

First off, there isn’t a pre-compiled package. The best way to install it is from the ports, where it exists as /usr/ports/games/minecraft-server

Be warned – this one’s a monster! Run “make config-recursive” first, or it’ll go on stopping for options all the way through. Then run “make install”. It’s going to take quite some time.

The first configuration option screen asks if you want to make it as a service or stand-alone. I picked “service”, which sets up the start-up scripts for you but doesn’t actually tell you it’s done it. It does, however, stop it trying to run in graphics mode on your data centre server so I’m not complaining too much.

The good news is that this all works perfectly in a jail, so while it’s compiling (it could be hours) you can set up the required routing, assuming you’re using an internal network between jails – in this case 192.168.2.0/24. Using pf this will look something like:

externalip="123.123.123.123"
minecraft="192.168.2.3"
extinterface="fx0"
scrub in all
nat pass on $extinterface from 192.168.2.0/24 to any -> $externalip
rdr pass on $extinterface proto tcp from any to $externalip port 25565 -> $minecraft
rdr pass on $extinterface proto tcp from any to $externalip port
{19132,19133,25565} -> $minecraft

And that’s it. You’re basically forwarding on TCP and three UDP ports. If you’re not using a jail, you obviously don’t need to forward anything. For instructions on setting up jails properly, see here, and for networking jails see elsewhere on this blog.

One thing that’s very important – this is written in Java, so as part of the build you’ll end up with OpenJDK. This requires some special file systems are mounted – and if you’re using a jail this will have to be in the host fstab, not the jails!

# Needed for OpenJDK
fdesc /dev/fd fdescfs rw 0 0
proc /proc procfs rw 0 0

If you’re using a jail, make sure the jail definition includes the following, or Java still won’t see them:

mount.devfs;
mount.procfs;

Once you’ve finished building you might bet tempted to follow some of these erroneous instructions in forums and try to run “minecraft-server”. It won’t exist!

To create the basic configuration files run “service minecraft onestart”. This will create the configuration files for you in /usr/local/etc/minecraft-server. It will also create a file called eula.txt. You need to edit this change “eula=false” to “eula=true”.

You can make the minecraft service run on startup with the usual “minecraft_enable=yes” in /etc/rc.conf

And that’s really it. There are plenty of fan guides on tweaking the server settings to your requirements, and they should apply to any installation.

This assumes you’re handy with FreeBSD, understand jails and networking; if you’re not so handy then please leave a comment or contact me. Everyone has to start somewhere, and it’s hard to know what level to pitch instructions like this. Blame me for assuming to much!

Nominet EGM, March 2021

Members of the UK’s domain registry, Nominet, have called an EGM to get rid of most of the governing board. After fighting tooth and nail, chairman
Russell Haworth resigned yesterday (Sunday), but other controversial board members remain.

Unusually for me, this year’s report will be updated live. But you’ll have to refresh your browser manually!

Note that this is paraphrased!

The argument is over the direction of Nominet. When it was founded, the idea was for it to take over from the Naming Committee and run the UK’s top level DNS servers. The Naming Committee was overwhelmed, and it was felt reasonable that a new organisation could take over the work, funded by a small fee for new registrations.

This was inevitably going to lead to a surplus income, which was supposed to be distributed for the public benefit, keeping reasonable reserves in case of major court cases.

In 2006 Nominet altered it’s remit to allow other activities, which I warned about at the time. It turns out I was right (as usual), and in the intervening years the board diversified into such things as self-driving cars and subsidising a cyber-security business, in competition with some of the members who were paying for it. Network Solutions all over again.


Mark Wood opens, and acknowledges that the board hasn’t been listening to members. Grateful to Russell Howarth for driving growth.

Invited Simon Blackler to speak for a few minutes. Mark Wood says he declined.

Now going to member’s questions, starting with those sent in advance.

Question: Why has the board predicted chaos if the board changes?

James Bladel: It will, indeed, fall apart without the experience of the existing board. As the board has prevented the second motion to appoint a new board, it will delay reforms.

Question: The campaign by the board has been dirty. How will you heal the rift.

Rob Binns: “We will continue an open dialogue” and make sure there is a meaningful two-way dialogue.

Question: Ester. Why was second resolution (Appoint new directors) blocked?

James Bladel: Don’t ask me – ask Roy. But we have established processes, so we’re not going to make an exception just because the members vote to have one.

Question: What are the chances of the government stepping in and resulting in a price rise?

Steven Page: There is a possibility, but we don’t know for sure. “Nominet is at the heart of digital Britain”. Sounds to me like a FUD pitch.

He’s just suggested the NHS might collapse if the board is removed, as Nominet is critical infrastructure.

Question: Why were Registry Advisory Council idea underway before the EGM?

Ellie: We wanted to find another way to get feedback. She described it as a “registry business”.

Question: What are the board’s future plans depending on whether the resolution passes or not?

Rob Binns: “As a board we will lay out a process that will drive that engagement” regardless of the outcome.

If the motion passes (board half fired) we will have a focus on stability.

Questions: What justifies huge increases in board remuneration.

Mark Wood: Our strategy was to diversify into alternative revenue streams as a hedge against possible income decline. Stated that costs would increase (but didn’t explain why).

Jane Tozer: We take the pay issue seriously, so we’ve frozen it. Our executive team has outperformed on its targets. Appears to be reading a written statement. It benchmarks pay against similar sized technology companies. (Odd, as these are profit driven – Nominet is supposed to be running a DNS).

Question: What is the cross-subsidy between domains and cybersecurity?

Ellie: We’re not cross-subsidising.

Question: One of the problem is lack of engagement. Would the board introduce members meetings?

Anne Taylor: As a board want to export all ways of engaging. It was a bad move to shut down the forum.

David Thornton: Shutting down the forum was inflammatory but needed a re-vamp.

Question about discounts for .co.uk and .uk together. Irrelevent.

Question: Why has it taken so long to realise members are not happy?

Mark Wood: We’ve missed some signals. Simon Blackler has run a good campaign and raised a lot of issues. We want to make these changes and accelerate them.

Question: Will be bring back member engagement lunches.

Ellie: Yes, stuff like that. “We’re going to need to find more ways to get the views of the network”.

Question: Why can’t we hear from Simon Blackler?

Mark Wood: It’s not a debate; it’s a company EGM. Simon Blackler declined to speak.

Question: Has the current board makeup been complicit in side-lining members’ decent?

James Bladel: I don’t think this has really happened as we have vigorous debates on the board.

Question: What’s Russell’s status right now?

Mark Wood: Russell actually stood down from the board on Sunday. (Subsequently confirmed that the registration was accepted).

Question: About CNI status.

Stephen Page: We’re not, but we’re looking at what would happen if were were designated as such. It could push up our costs. It depends which part of the regulatory system takes us on. We hope it won’t increase prices.

Question: If the broad is critical, what is the plan if anything happened to it?

Rob Binns: Yes, we have a contingency plan. The motion is to remove various members of the board. We’d have to think about how we’d manage that. In any scenario we’ll continue with improved engagement. Didn’t explain what the plan was.

Question: Similar to previous on member engagement.

Mark Wood: Repetitive waffle. Sounds like they’re talking out more difficult advance questions.
James: Bladel: More repetitive waffle. Absolutely nothing that hasn’t been said before. “We need to focus on the future.” “Rebuild relationship”.

Mark Wood: Largest turnout in Nominet’s history. As the whole board has said, Nominet will change as a result of this. I believe it will be easier if we don’t change the board. Closing the member forum was a mistake. We’ll find new and better ways.

We also need to bring the government into management of Nominet as a stakeholder. Nominet delivers brilliant service, does an important job, and does very well.

Don’t Do This To Fix Slow WiFi

Have you seen adverts like this popping up on dodgy web sites? If you’ve ever clicked on one, you go to a page where someone explains that ISPs are deliberately slowing down people’s internet connections, but for £50 they’ll sell you a miracle box that will thwart your ISP’s attempt do to this.

It is, of course, complete garbage. What they’re actually selling is a generic Chinese WiFi repeater, which they’re calling a WiFi Blast. Whether this will help with anything is debatable; but it might.

What a WiFi repeater does is act as an intermediate station between two others – i.e. your current wireless AP and the thing you’re trying to connect. If the distance is too far for the signal to propagate, the relay sits in the middle where it can see both ends, and passes the messages back and forth.

Unlike normal radio repeaters, a WiFi repeater is going to be half duplex, as it’s not going to be able to transmit and listen at the same time – the input would be swamped. This is obviously going to be slower than a direct connection, but it’s useful to cover long distances.

Whether it’s useful to get through walls is highly debatable. RF propagation is a funny thing. Run a wire instead.

The sales pitch likely breaches dozens of different advertising laws. But if you’re determined to buy one anyway, they’re about £10 on Amazon. Repeaters do have their uses, including linking a wired ethernet device to WiFi, but changing the speed of your Broadband by some miracle isn’t one of them. And no, I don’t get a kick-back if you buy one through this link.

USB Ethernet on FreeBSD

Why would you even want to cripple your network connection by using USB instead of a proper NIC? Well if you have no free PCIe slots you might have to, as is the case if you’re using a very small computer as a router/gateway.

But why would you use a small computer as a FreeBSD router? Well FreeBSD doesn’t keep crashing like the purpose-built routers we all know and hate. Yes, that’s right – you can use FreeBSD in your router and it won’t crash. Having to turn your network router on/off periodically is, it turns out, entirely optional.

So back to these small computers: the problem is they tend to have but one Ethernet port, and no slots to add a second. They do tend use USB as the only way of expanding the hardware. But assuming you don’t have a crazy fast WAN you can still get away with a USB network adapter on that. Perhaps don’t bother using a bunch of them to make a switch though, but for a single second port and not much else going on, it works just fine.

But here’s the thing – FreeBSD doesn’t support USB3 Ethernet chips very well. In fact the only one I know of is the ASIX88179, and there are mixed reports about how well this works these. I’ve ordered one to take a look at.

In the mean time, the smart money is on USB2; and although you can get 1Gb USB2->Ethernet chips, a quick calculation will show you can’t do a sustained 1Gb transfer through it. But if your WAN is <100Gbs, this won’t actually matter.

There are, fortunately, plenty of USB2->100baseT chips to choose from, and these are the safest options. I’ve extracted this list from the documentation:

ADMtek AN986 Pegasus
ASIX AX88172,AX88178,AX88772,AX88772A,AX88772B and AX88760
CATC EL1210A (10Mb only!)
Kawasaki LSI KL5KLUSB101B
RealTek RTL8150
SMSC LAN95xxx
Davicom DM9601

I’ll be doing some experiments with a few of these to see which work best, but if you’ve got any further information please comment!

Incidentally, thus far I’ve been happy with ASIX chips. That said, I’ve not tested them, or the others, to their limits yet. They do seem stable though.

Networking FreeBSD Jails

Or port forwarding to a jail

I’ve already explained how easy FreeBSD jails are to set up and use without resorting to installing heavy management tools, but today I thought I’d add a bit about networking. Specifically, how do you pass traffic arriving on a particular port to a service running inside a jail?

It’s actually very easy. All you need is a very local network inside FreeBSD, natted to the one outside.

Suppose you have your jail.conf set up as per my previous article. Here’s an excerpt:

tom { ip4.addr = 192.168.0.2 ; }
dick { ip4.addr = 192.168.0.3 ; }
harry { ip4.addr = 192.168.0.4 ; }

The defaults were set earlier in the file; the only thing that’s unique about each jail is the IP4 address and the name. What I didn’t say at the time was that 192.168.0.0 could have been on an internal network.

To define your local network just define it in rc.conf:

cloned_interfaces="lo1"
ipv4_addrs_lo1="192.168.0.1-14/28"

This creates another local loopback interface and assigns a range of IPv4 addresses to it. This can be as large as you wish, but I’ve defined 1..14 (with appropriate subnet mask) because they’ll be listed every time you run ifconfig!

Next you’re going to need something to do the natting. pf us your friend. Enable it in rc.conf too:

pf_enable="yes"

And you’ll need an /etc/pf.conf file to do the magic. I like pf – it’s easier for my brain to understand than most. Here’s an example file:

PUB_IP="192.168.1.217"
INT="bge0"
JAIL_NET="192.168.0.0/24"
TOM="192.168.0.2"
DICK="192.168.0.3"
HARRY="192.168.0.4"
scrub in all
nat pass on $INT from $JAIL_NET to any -> $PUB_IP
block on $INT proto tcp from any to $PUBIP port 111
rdr pass on $INT proto tcp from any to $PUBIP port 3306 -> $TOM
rdr pass on $INT proto tcp from any to $PUBIP port {21,80,443} -> $DICK
rdr pass on $INT proto tcp from any to $PUBIP port 81 -> $HARRY port 80

So what’s going on?

I’ve used a few macros. PUB_IP is your public IP address, and INT is the interface it’s on. pf may figure some of this out, but I’m being explicit.

TOM, DICK and HARRY are the IPv4 addresses of the jails.

Next I’m scrubbing all interfaces (normally a good idea, but you don’t have to). But the next line is important – it uses nat to allow stuff on your jail network to talk to the outside world.

The following line is where you might want to block more stuff – in this case NFS on port 111. Then we’re back to jail things for the final three lines. They’re pretty self-explanatory, but here’s an explanation anyway.

Let’s say the tom jail is running a MariaDB server on port 3306. The first line takes anything arriving on port 3306 and sends it to tom’s jail IP. Simple. It can reply because of the nat line earlier.

dick is running a web and ftp server, so ports 21,80 and 443 are sent there. The pf syntax lets you do nice stuff like this with the {..}

Finally we come to harry. Here we’re running an http server on port 80, but to make it accessible externally we’re mapping it to port 81 as otherwise it would clash with dick. In other words, if you don’t specify a destination port in the redirect it will assume the same as the source port.

And that’s it! When you jail is started you will see an interface lo1 with the IP address defined in /etc/jail.conf and assuming you have something sensible in /etc/resolv.conf you’ll have a jail that looks like it’s running behind a NAT router with port forwarding.

Of course, if you don’t need to map a jailed service to an external IP address, don’t! Jails can access services on each other using their own virtual network.