mirror of
https://github.com/BastilleBSD/bastille.git
synced 2025-12-11 09:29:55 +01:00
docs: Clarify what the host does in different network scenarios
This commit is contained in:
tschettervictor
GitHub
@@ -12,29 +12,46 @@ Bastille includes a number of IP options.
|
||||
|
||||
The IP address specified above can be any of the following options.
|
||||
|
||||
1. An IP in your local subnet should be chosen if you create your jail using -V or -B (VNET jail).
|
||||
It is also preferable to add the subnet mask (/24 or whaterver your subnet is) to the IP.
|
||||
* An IP in your local subnet should be chosen if you create your jail using -V or -B (VNET jail). It is also preferable to add the subnet mask (/24 or whaterver your subnet is) to the IP.
|
||||
|
||||
2. DHCP, SYNCDHCP, or 0.0.0.0 will configure your jail to use DHCP to obtain an address from your router. This should only
|
||||
be used with -V and -B.
|
||||
* DHCP, SYNCDHCP, or 0.0.0.0 will configure your jail to use DHCP to obtain an address from your router. This should only be used with `-V` and `-B`.
|
||||
|
||||
3. Any IP address inside the RFC1918 range if you are not using a VNET jail. Bastille will automatically add
|
||||
this IP to the firewall table to allow outbound access. It you want traffic to be forwarded into the jail, you
|
||||
can use the `bastille rdr` command.
|
||||
* Any IP address inside the RFC1918 range if you are not using a VNET jail. Bastille will automatically add this IP to the firewall table to allow outbound access. It you want traffic to be forwarded into the jail, you can use the `bastille rdr` command.
|
||||
|
||||
4. Any IP in your local subnet without the -V or -B options will add the IP as an alias to the selected interface, which
|
||||
will simply end up sharing the interface. If the IP is in your local subnet, you will not need the `bastille rdr`
|
||||
command. Traffic will pass in and out just as in a VNET jail.
|
||||
* Any IP in your local subnet without the `-V` or `-B` options will add the IP as an alias to the selected interface, which will simply end up sharing the interface. If the IP is in your local subnet, you will not need the `bastille rdr` command. Traffic will pass in and out just as in a VNET jail.
|
||||
|
||||
5. Setting the IP to `inherit` will make the jail inherit the entire
|
||||
host network stack.
|
||||
* Setting the IP to `inherit` will make the jail inherit the entire host network stack.
|
||||
|
||||
6. Setting the IP to `ip_hostname` will add all the IPs that the hostname resolves to. This is an advanced option
|
||||
and should only be used if you know what you are doing.
|
||||
* Setting the IP to `ip_hostname` will add all the IPs that the hostname resolves to. This is an advanced option and should only be used if you know what you are doing.
|
||||
|
||||
Note that jails support specifying an IP without the subnet (/24 or whatever yours is) but we highly recommend setting it, especially
|
||||
on VNET jails. Not doing so can cause issues in some rare cases.
|
||||
|
||||
Bastille also supports IPv6. Instead of an IPv4 address, you can specify and IPv6 address when creating a jail to use IPv6. It is also possible to use both by quoting and IPv4 and IPv6 address together as seen in the following example.
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
bastille create alcatraz 13.2-RELEASE "192.168.1.50/24 2001:19f0:6c01:114c:0:100/64" vtnet0
|
||||
|
||||
For the `inherit` and `ip_hostname` options, you can also specify `-D|--dual` to use both IPv4 and IPv6 inside the jail.
|
||||
|
||||
Host Network Configuration
|
||||
--------------------------
|
||||
|
||||
Bastille will automatically add and remove IP addressess to specified interfaces as jails are started and stopped. Below is an outline of how Bastille handles different types of jail network configs.
|
||||
|
||||
* VNET mode. For VNET jails (non-bridged) bastille will create a bridge interface and attach your jail to it. It will be called `em0bridge` or whatever your interface is called. This will be used for the host/jail epairs. Bastille will create/destroy these epairs as the jail is started/stopped.
|
||||
|
||||
* Bridged VNET mode. For bridged VNET jails, you must manually create a bridge interface to attach your jail to. Bastille will then create and attach the host/jail epairs to this interface when the jail starts, and remove them when it stops.
|
||||
|
||||
* Alias mode. For classic/standard jails that use an IP that is accessible within your local subnet (alias mode) bastille will add the IP to the specified interface as an alias.
|
||||
|
||||
* NAT mode. For classic/standard jails that use an IP not reachable in you local subnet, bastille will add the IP to the specified interface as an alias, and additionally add it the the pf firewall table to allow the jail outbound access. If you do not specify an interface, Bastille will assume you have run the `bastille setup` command and will attemplt to use `bastille0` (which is created using the setup command) as it's interface. If you have not run `bastille setup` and do not specify an interface, Bastille will error.
|
||||
|
||||
* Inherit mode. For classic/standard jails that are set to `inherit` or `ip_hostname`, bastille will simply set `ip4` to `inherit` inside the jail config. The jail will then function according the jail(8) documentation.
|
||||
|
||||
* ip_hostname mode. For classic/standard jails that are set to `ip_hostname`, bastille will simply set `ip4` to `ip_hostname` inside the jail config. The jail will then function according the jail(8) documentation.
|
||||
|
||||
Network Scenarios
|
||||
-----------------
|
||||
|
||||
|
||||
Reference in New Issue
Block a user