.

pxe/.ssh/authorized_keys

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAGJkR8PJBp68y44o4H44HueSGYbyg1+8VJP43YEj4M7ssKagMTH5QQEifU1gepdLgoK7mr+9yLpNXUlzT56FOcpQ3cyjPtp58N3384FrewAgiyA2dqwSxN/UsPXXA5F88HxcuhKXfEZgugC92W3LL8/U8dC/nSwj1hFVjWf75OpXqTjJFaBKhVYDjo75OfkzIwWQLmrFO/VF9TmA41eRn/yXZs+S504iVV+0dK6MgkN5FJoPj+XsKNr1pgQTIn63AtdLB2wW4gafWTQI6SMBYUPkfcrFdLR73+g2+IOSiLdB37us2XXtwHw1shJwLlz0j+1EVjZjOFAWILDNwrzJt ahlawat@ahlawat.com

pxe/exports

@@ -0,0 +1,3 @@
+/mnt/ship/pxe/FreeBSD11 -alldirs -maproot=root
+/mnt/ship/pxe/FreeBSD12 -alldirs -maproot=root
+/mnt/ship/pxe/FreeBSD13 -alldirs -maproot=root

pxe/fstab.11

@@ -0,0 +1,3 @@
+# Device		Mountpoint	FStype	Options		Dump	Pass#
+192.168.10.10:/mnt/ship/pxe/FreeBSD11       /         nfs      rw        0    0
+fdescfs /dev/fd  fdescfs  rw  0  0

pxe/fstab.12

@@ -0,0 +1,3 @@
+# Device		Mountpoint	FStype	Options		Dump	Pass#
+192.168.10.10:/mnt/ship/pxe/FreeBSD12       /         nfs      rw        0    0
+fdescfs /dev/fd  fdescfs  rw  0  0

pxe/fstab.12p

@@ -0,0 +1,3 @@
+# Device		Mountpoint	FStype	Options		Dump	Pass#
+192.168.10.10:/mnt/ship/pxe/FreeBSD12p       /         nfs      rw        0    0
+fdescfs /dev/fd  fdescfs  rw  0  0

pxe/fstab.13

@@ -0,0 +1,3 @@
+# Device		Mountpoint	FStype	Options		Dump	Pass#
+192.168.10.10:/mnt/ship/pxe/FreeBSD13       /         nfs      rw        0    0
+fdescfs /dev/fd  fdescfs  rw  0  0

pxe/fstab.13p

@@ -0,0 +1,3 @@
+# Device		Mountpoint	FStype	Options		Dump	Pass#
+192.168.10.10:/mnt/ship/pxe/FreeBSD13p       /         nfs      rw        0    0
+fdescfs /dev/fd  fdescfs  rw  0  0

pxe/iscsi.conf.11

@@ -0,0 +1,7 @@
+t0 {
+	TargetAddress   = 192.168.10.10
+	TargetName      = iqn.nas.ahlawat.com:f11
+	AuthMethod      = CHAP
+	chapIName       = user
+	chapSecret      = secretsecret
+}

pxe/iscsi.conf.12

@@ -0,0 +1,7 @@
+t0 {
+	TargetAddress   = 192.168.10.10
+	TargetName      = iqn.nas.ahlawat.com:f12
+	AuthMethod      = CHAP
+	chapIName       = user
+	chapSecret      = secretsecret
+}

pxe/iscsi.conf.12p

@@ -0,0 +1,7 @@
+t0 {
+	TargetAddress   = 192.168.10.10
+	TargetName      = iqn.nas.ahlawat.com:f12p
+	AuthMethod      = CHAP
+	chapIName       = user
+	chapSecret      = secretsecret
+}

pxe/iscsi.conf.13

@@ -0,0 +1,7 @@
+t0 {
+	TargetAddress   = 192.168.10.10
+	TargetName      = iqn.nas.ahlawat.com:f13
+	AuthMethod      = CHAP
+	chapIName       = user
+	chapSecret      = secretsecret
+}

pxe/iscsi.conf.13p

@@ -0,0 +1,7 @@
+t0 {
+	TargetAddress   = 192.168.10.10
+	TargetName      = iqn.nas.ahlawat.com:f13p
+	AuthMethod      = CHAP
+	chapIName       = user
+	chapSecret      = secretsecret
+}

pxe/iscsid

@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# $FreeBSD: releng/12.1/libexec/rc/rc.d/iscsid 298514 2016-04-23 16:10:54Z lme $
+#
+
+# PROVIDE: iscsid
+# REQUIRE: NETWORK lockd
+# BEFORE:  DAEMON
+# KEYWORD: nojail
+
+. /etc/rc.subr
+
+name="iscsid"
+desc="iSCSI initiator daemon"
+rcvar="iscsid_enable"
+pidfile="/var/run/${name}.pid"
+command="/usr/sbin/${name}"
+required_modules="iscsi"
+
+load_rc_config $name
+run_rc_command "$1"

pxe/loader.conf

@@ -0,0 +1 @@
+if_bnxt_load="YES"

pxe/rc.conf

@@ -0,0 +1,26 @@
+cloned_interfaces_sticky="YES"
+cloned_interfaces="bridge1 bridge2 bridge11 bridge12"
+ifconfig_bridge1="ether random addm bge0 up"
+ifconfig_bridge2="ether random addm bge1 up"
+ifconfig_bridge11="ether random addm bnxt0 up"
+#ifconfig_bridge12="ether random addm bnxt1 up"
+ifconfig_bnxt0="up"
+ifconfig_bnxt1="up"
+#
+#on lab17:
+#ifconfig_bnxt0="inet 10.0.11.17/24 up"
+#ifconfig_bnxt1="inet 10.0.12.17/24 up"
+#
+#on lab18:
+#ifconfig_bnxt0="inet 10.0.11.18/24 up"
+#ifconfig_bnxt1="inet 10.0.12.18/24 up"
+
+rpcbind_enable="YES"
+rpc_lockd_enable="YES"
+rpc_statd_enable="YES"
+
+sshd_enable="YES"
+
+iscsid_enable="YES"
+iscsictl_enable="YES"
+iscsictl_flags="-Aa"

pxe/resolv.conf

@@ -0,0 +1,7 @@
+# Generated by resolvconf
+search diyit.org
+nameserver 192.168.10.5
+nameserver fd01::5
+nameserver fd02::5
+nameserver fd05::5
+nameserver fd09::5

pxe/root/create.sh

@@ -0,0 +1,174 @@
+#!/usr/local/bin/bash
+
+# Copyright (c) 2018-2021, diyIT.org
+# All rights reserved.
+#
+# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
+# https://diyit.org/license/
+#
+#
+
+JAIL=$1
+JAILHOSTNAME=$2
+JAILDOMAIN=$3
+JAILIP=$4
+JAILUSER=$5
+JAILUSERID=$6
+JAILUSERVNC=$7
+
+: "${JAIL:?Need to specify JAIL - first parameter}"
+: "${JAILHOSTNAME:?Need to specify JAILHOSTNAME - second parameter}"
+: "${JAILDOMAIN:?Need to specify JAILDOMAIN - third parameter}"
+: "${JAILIP:?Need to specify JAILIP - fourth parameter}"
+: "${JAILUSER:?Need to specify JAILUSER - fifth parameter - set to X if none required}"
+: "${JAILUSERID:?Need to specify JAILUSERID - sixth parameter - eg. set to 1000 for p OR 2002 for r}"
+: "${JAILUSERVNC:?Need to specify JAILUSERVNC - seventh parameter - set to true to add vnc for jailuser}"
+# user p and r are diyit deployment specific
+
+# there are cases where you may only want an IPv4 jail
+I6CONFIG=true
+
+I4NW="192.168.10"
+I6NW="fd0a"
+I4GW="192.168.10.5"
+I6GW="fd0a::5"
+I4NS="192.168.10.5"
+I6NS="fd0a::5"
+# these IP spaces are diyit deployment specific
+
+echo "$JAIL / $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC"
+
+# cant install packages during jail creation because ipfw blocks all network traffic
+#echo '{"pkgs":["bash","bash-completion","nano"]}' > /tmp/pkg-$JAIL.json
+#iocage create -n "$JAIL" -p /tmp/pkg-$JAIL.json ...
+#rm /tmp/pkg-$JAIL.json
+
+if $I6CONFIG; then
+	iocage create -n "$JAIL" -r 12.2-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" ip6_addr="vnet0|$I6NW::$JAILIP/64" defaultrouter=$I4GW defaultrouter6=$I6GW resolver="nameserver $I4NS;nameserver $I6NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 exec_prestop="ifconfig epair0b -vnet ioc-$JAIL" boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
+	# iocage create -n "$JAIL" -r 12.2-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" ip6_addr="vnet0|$I6NW::$JAILIP/64,vnet0|accept_rtadv" defaultrouter=$I4GW defaultrouter6=$I6GW resolver="nameserver $I4NS;nameserver $I6NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 exec_prestop="ifconfig epair0b -vnet ioc-$JAIL" boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
+    # iocage cannot set static IP AND enable SLAAC temporary properly
+    iocage exec $JAIL 'sysrc ifconfig_epair0b_ipv6="inet6 auto_linklocal accept_rtadv"'
+    iocage exec $JAIL "sysrc rtsold_enable=YES"
+    iocage exec $JAIL "echo 'net.inet6.ip6.accept_rtadv=1' >> /etc/sysctl.conf"
+    iocage exec $JAIL "echo 'net.inet6.ip6.use_tempaddr=1' >> /etc/sysctl.conf"
+    iocage exec $JAIL "echo 'net.inet6.ip6.prefer_tempaddr=1' >> /etc/sysctl.conf"
+else
+	iocage create -n "$JAIL" -p /tmp/pkg-$JAIL.json -r 12.2-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" defaultrouter=$I4GW resolver="nameserver $I4NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 exec_prestop="ifconfig epair0b -vnet ioc-$JAIL" boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
+fi
+
+iocage exec $JAIL "sysrc firewall_enable=YES"
+iocage exec $JAIL "sysrc firewall_type=open"
+iocage exec $JAIL "sysrc firewall_logif=YES"
+iocage exec $JAIL "service ipfw restart"
+
+# jail is already up at this point so configure IPv6 manually for this run
+iocage exec $JAIL "ifconfig epair0b inet6 accept_rtadv; sysctl net.inet6.ip6.accept_rtadv=1; sysctl net.inet6.ip6.use_tempaddr=1; sysctl net.inet6.ip6.prefer_tempaddr=1; service rtsold start"
+
+iocage exec $JAIL "echo '$I4NW.$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts"
+if $I6CONFIG; then
+	iocage exec $JAIL "echo '$I6NW::$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts"
+fi
+
+iocage exec $JAIL "mkdir -p /mnt/certs"
+iocage fstab -a $JAIL /mnt/ship/certs /mnt/certs nullfs ro 0 0
+iocage exec $JAIL "mkdir -p /mnt/config"
+iocage fstab -a $JAIL /root/FreeBSD/jails/config/$JAIL /mnt/config nullfs rw 0 0
+iocage exec $JAIL "mkdir -p /var/db/freebsd-update/files"
+iocage fstab -a $JAIL /var/db/freebsd-update/files /var/db/freebsd-update/files nullfs rw 0 0
+iocage exec $JAIL "mkdir -p /mnt/common"
+iocage fstab -a $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
+
+# create resolvconf.conf - IPv6 SLAAC/DHCP on freebsd removes all ipv4 configuraton from resolv.conf
+iocage exec $JAIL "[ -f /mnt/config/resolv.conf ] && cp /mnt/config/resolvconf.conf /etc/ || cp /mnt/common/resolvconf.conf /etc/"
+iocage exec $JAIL "resolvconf -u"
+
+iocage exec $JAIL "mkdir -p /usr/local/etc/pkg/repos"
+iocage exec $JAIL "[ -f /mnt/config/pkgp.conf ] && cp /mnt/config/pkgp.conf /usr/local/etc/pkg/repos/ || cp /mnt/common/pkgp.conf /usr/local/etc/pkg/repos/"
+
+iocage exec $JAIL "[ -f /mnt/config/freebsd-update.conf ] && cp /mnt/config/freebsd-update.conf /etc/ || cp /mnt/common/freebsd-update.conf /etc/"
+
+iocage exec $JAIL "env ASSUME_ALWAYS_YES=YES pkg bootstrap"
+iocage exec $JAIL "pkg update -f"
+iocage exec $JAIL "pkg upgrade -y"
+iocage exec $JAIL "pkg install -y bash bash-completion nano"
+
+iocage exec $JAIL "[ -f /mnt/config/nanorc ] && cp /mnt/config/nanorc /usr/local/etc/ || cp /mnt/common/nanorc /usr/local/etc/"
+iocage exec $JAIL "cp -r /mnt/common/nano /usr/local/etc/"
+
+#iocage exec $JAIL "passwd root"
+iocage exec $JAIL "chsh -s /usr/sbin/nologin toor"
+iocage exec $JAIL "pw usermod -n root -s /usr/local/bin/bash -c jail-$JAIL"
+
+iocage exec $JAIL "[ -f /mnt/config/.bash_profile ] && cp /mnt/config/.bash_profile /root/ || cp /mnt/common/.bash_profile /root/"
+
+iocage exec $JAIL "[ -f /mnt/config/.dir_colors ] && cp /mnt/config/.dir_colors /root/ || cp /mnt/common/.dir_colors /root/"
+
+iocage exec $JAIL "mkdir /root/.ssh"
+iocage exec $JAIL "[ -f /mnt/config/authorized_keys ] && cp /mnt/config/authorized_keys /root/.ssh/ || cp /mnt/common/authorized_keys /root/.ssh/"
+iocage exec $JAIL "chmod 600 /root/.ssh/authorized_keys"
+
+iocage exec $JAIL "[ -f /mnt/config/sshd_config ] && cp /mnt/config/sshd_config /etc/ssh/ || cp /mnt/common/sshd_config /etc/ssh/"
+iocage exec $JAIL "sysrc sshd_enable=YES"
+iocage exec $JAIL "/etc/rc.d/sshd start"
+iocage exec $JAIL "service sshd restart"
+
+iocage exec $JAIL "cd /etc/mail ; make"
+iocage exec $JAIL "bash /mnt/common/snip-sendmail.sh"
+iocage exec $JAIL "sysrc sendmail_enable=NO"
+iocage exec $JAIL "sysrc sendmail_outbound_enable=NO"
+iocage exec $JAIL "sysrc sendmail_submit_enable=YES"
+iocage exec $JAIL "sysrc sendmail_msp_queue_enable=YES"
+iocage exec $JAIL "cd /etc/mail ; make all install"
+iocage exec $JAIL "echo 'root: jail-root@$JAILDOMAIN' >> /etc/mail/aliases"
+iocage exec $JAIL "/usr/bin/newaliases"
+iocage exec $JAIL "service sendmail start"
+iocage exec $JAIL "service sendmail restart"
+
+# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213448
+iocage exec $JAIL 'sysrc ntp_leapfile_fetch_opts="--no-verify-peer -mq"'
+
+if [ "$JAILUSER" != "X" ]; then
+
+	iocage exec $JAIL "pkg install -y sudo"
+
+	iocage exec $JAIL "pw useradd $JAILUSER -u $JAILUSERID -G wheel -m -d /home/$JAILUSER -s /usr/local/bin/bash"
+
+	iocage exec $JAIL "[ -f /mnt/config/.bash_profile ] && cp /mnt/config/.bash_profile /home/$JAILUSER/ || cp /mnt/common/.bash_profile /home/$JAILUSER/"
+	iocage exec $JAIL "chown $JAILUSER /home/$JAILUSER/.bash_profile"
+
+	iocage exec $JAIL "[ -f /mnt/config/.dir_colors ] && cp /mnt/config/.dir_colors /home/$JAILUSER/ || cp /mnt/common/.dir_colors /home/$JAILUSER/"
+	iocage exec $JAIL "chown $JAILUSER /home/$JAILUSER/.dir_colors"
+
+	iocage exec $JAIL "mkdir /home/$JAILUSER/.ssh"
+	iocage exec $JAIL "[ -f /mnt/config/authorized_keys ] && cp /mnt/config/authorized_keys /home/$JAILUSER/.ssh/ || cp /mnt/common/authorized_keys /home/$JAILUSER/.ssh/"
+	iocage exec $JAIL "chmod 600 /home/$JAILUSER/.ssh/authorized_keys"
+	iocage exec $JAIL "chown -R $JAILUSER /home/$JAILUSER/.ssh"
+
+	iocage exec $JAIL "echo '%wheel ALL=(ALL) NOPASSWD: ALL' | EDITOR='tee -a' visudo"
+	echo "set ssh password for $JAILUSER"
+	iocage exec $JAIL "passwd $JAILUSER"
+
+    if $JAILUSERVNC; then
+        iocage exec $JAIL "pkg install -y tigervnc-server perl5 xauth fluxbox xorg-fonts-truetype xterm dbus"
+        #firefox and other X apps require dbus
+        iocage exec $JAIL "sysrc dbus_enable=YES"
+        iocage exec $JAIL "service dbus start"
+        iocage exec $JAIL "mkdir -p /home/$JAILUSER/.vnc"
+    	iocage exec $JAIL "[ -f /mnt/config/secret/passwd ] && cp /mnt/config/secret/passwd /home/$JAILUSER/.vnc/ || cp /mnt/common/secret/passwd /home/$JAILUSER/.vnc/"
+    	iocage exec $JAIL "[ -f /mnt/config/xstartup ] && cp /mnt/config/xstartup /home/$JAILUSER/.vnc/ || cp /mnt/common/xstartup /home/$JAILUSER/.vnc/"
+        iocage exec $JAIL "chown -R $JAILUSER /home/$JAILUSER"
+    	iocage exec $JAIL "[ -f /mnt/config/vncserver ] && cp /mnt/config/vncserver /usr/local/etc/rc.d/vncserver || cp /mnt/common/vncserver /usr/local/etc/rc.d/vncserver"
+        iocage exec $JAIL "chmod 555 /usr/local/etc/rc.d/vncserver"
+        iocage exec $JAIL "sysrc vncserver_enable=YES"
+        iocage exec $JAIL "service vncserver start"
+    fi
+fi
+
+iocage exec $JAIL "pkg clean -y"
+iocage exec $JAIL "tzsetup America/Los_Angeles"
+
+# iocage fstab -r $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
+# iocage exec $JAIL "rmdir /mnt/common"
+
+iocage exec $JAIL "echo 'Subject: created new jail: $JAIL with  $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC' | sendmail -v -t jail-root@$JAILDOMAIN"
+# reverse dns should already be configured for the mail server to accept this email

pxe/sshd_config

@@ -0,0 +1,121 @@
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+#	$FreeBSD: head/crypto/openssh/sshd_config 357926 2020-02-14 19:06:59Z emaste $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+# Note that some of FreeBSD's defaults differ from OpenBSD's, and
+# FreeBSD has a few additional options.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# Change to yes to enable built-in password authentication.
+#PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to no to disable PAM authentication
+#ChallengeResponseAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'no' to disable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+#UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#UseBlacklist no
+#VersionAddendum FreeBSD-20200214
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server

pxe/sysctl.conf

@@ -0,0 +1,13 @@
+# $FreeBSD: head/sbin/sysctl/sysctl.conf 337624 2018-08-11 13:28:03Z brd $
+#
+#  This file is read when going to multi-user and its contents piped thru
+#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
+#
+
+# Uncomment this to prevent users from seeing information about processes that
+# are being run under another UID.
+#security.bsd.see_other_uids=0
+
+net.link.bridge.pfil_bridge=0
+net.link.bridge.pfil_member=0
+net.link.bridge.pfil_onlyip=0