Mirrors/BastilleBSD_bastille
1
0
Fork 1
mirror of https://github.com/BastilleBSD/bastille.git synced 2025-12-12 18:09:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

add PATH; improve firewall

Browse Source
This commit is contained in:
Christer Edwards
2019-11-25 15:38:40 -07:00
parent e4c4d0df2e
commit b5c8330502
4 changed files with 12 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@@ -94,9 +94,7 @@ First, create the loopback interface:
```shell ```shell
ishmael ~ # sysrc cloned_interfaces+=lo1 ishmael ~ # sysrc cloned_interfaces+=lo1
ishmael ~ # sysrc ifconfig_lo1_name="bastille0" ishmael ~ # sysrc ifconfig_lo1_name="bastille0"
ishmael ~ # sysrc ifconfig_bastille0_aliases="inet 10.17.89.1/32"
ishmael ~ # service netif cloneup ishmael ~ # service netif cloneup
ishmael ~ # ifconfig bastille0 inet 10.17.89.1/32
``` ```
Second, enable the firewall: Second, enable the firewall:
@@ -116,7 +114,8 @@ set block-policy return
scrub in on $ext_if all fragment reassemble scrub in on $ext_if all fragment reassemble
set skip on lo set skip on lo
nat on $ext_if from bastille0:network to any -> ($ext_if) table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if)
## rdr example ## rdr example
## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45 ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45

2
usr/local/bin/bastille
View File

@@ -28,6 +28,8 @@
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
## root check first. ## root check first.
bastille_root_check() { bastille_root_check() {
if [ $(id -u) -ne 0 ]; then if [ $(id -u) -ne 0 ]; then

4
usr/local/share/bastille/start.sh
View File

@@ -67,9 +67,9 @@ for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail} jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail}
## update ${bastille_jail_loopback}:network with added/removed addresses ## update table:jails in firewall with container address
if [ ! -z ${bastille_jail_loopback} ]; then if [ ! -z ${bastille_jail_loopback} ]; then
pfctl -f /etc/pf.conf pfctl -t jails -T add $(jls -j ${_jail} ip4.addr)
fi fi
fi fi
echo echo

11
usr/local/share/bastille/stop.sh
View File

@@ -64,13 +64,14 @@ for _jail in ${JAILS}; do
## test if running ## test if running
elif [ $(jls name | grep -w "${_jail}") ]; then elif [ $(jls name | grep -w "${_jail}") ]; then
## remove ip4.addr from firewall table:jails
if [ ! -z ${bastille_jail_loopback} ]; then
pfctl -t jails -T delete $(jls -j ${_jail} ip4.addr)
fi
## stop container
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail} jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
## update ${bastille_jail_loopback}:network with added/removed addresses
if [ ! -z ${bastille_jail_loopback} ]; then
pfctl -f /etc/pf.conf
fi
fi fi
echo echo
done done