Mirrors/BastilleBSD_bastille
1
0
Fork 1
mirror of https://github.com/BastilleBSD/bastille.git synced 2025-12-10 17:09:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update README

Browse Source
This commit is contained in:
pc
2020-02-01 16:06:13 +00:00
parent f65fe999cc
commit e408254448
2 changed files with 49 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
README.md
View File

@@ -55,6 +55,7 @@ Available Commands:
import Import a specified container.
list List containers (running and stopped).
pkg Manipulate binary packages within targeted container(s). See pkg(8).
rdr Redirect host port to container port.
restart Restart a running container.
service Manage services within targeted container(s).
start Start a stopped container.
@@ -117,13 +118,21 @@ set skip on lo
table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if)
## rdr example
## static rdr example
## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
# Enable dynamic rdr (see below)
rdr-anchor "rdr/*"
block in all
pass out quick modulate state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state
# make sure you also open up ports that you are going to use for dynamic rdr
# pass in inet proto tcp from any to any port <rdr-start>:<rdr-end> flags S/SA keep state
# pass in inet proto udp from any to any port <rdr-start>:<rdr-end> flags S/SA keep state
```
* Make sure to change the `ext_if` variable to match your host system interface.
@@ -150,6 +159,21 @@ container at `10.17.89.45`.
Finally, enable and (re)start the firewall:
## dynamic rdr anchor (see below)
rdr-anchor "rdr/*"
The `rdr-anchor "rdr/*"` anables dynamic rdr rules to be setup using the
`bastille rdr` command at runtime - eg.
bastille rdr <jail> --tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail
bastille rdr <jail> --udp 2053 53 # Same for udp
bastille rdr <jail> --list # List dynamic rdr rules
bastille rdr <jail> --clear # Clear dynamic rdr rules
Note that if you are rediirecting ports where the host is also listening
(eg. ssh) you should make sure that the host service is not listening on
the cloned interface - eg. for ssh set sshd_flags in rc.conf
```shell
ishmael ~ # sysrc pf_enable="YES"
ishmael ~ # service pf restart
@@ -722,6 +746,28 @@ ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf
/tmp/resolv.conf-cf -> /usr/local/bastille/jails/unbound0/root/etc/resolv.conf
```
bastille-rdr
------------
`bastille rdr` allows yiou to configure dynamic rdr rules for your containers
without modifying pf.conf (assuming you are using the `bastille0` interface
for a private network and have enabled `rdr-anchor 'rdr/*'` in /etc/pf.conf
as described in the Networking section).
```shell
# bastille rdr --help
Usage: bastille rdr TARGET [--clear] | [--list] | [--tcp <host_port> <jail_port>] | [--udp <host_port> <jail_port>]
# bastille rdr dev1 --tcp 2001 22
# bastille rdr dev1 --list
rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
# bastille rdr dev1 --udp 2053 53
# bastille rdr dev1 --list
rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
rdr on em0 inet proto udp from any to any port = 2053 -> 10.17.89.1 port 53
# bastille rdr dev1 --clear
nat cleared
```
bastille update
---------------
The `update` command targets a release instead of a container. Because every

3
docs/chapters/subcommands/rdr.rst
View File

@@ -8,7 +8,8 @@ for a private network and have enabled `rdr-anchor 'rdr/*'` in /etc/pf.conf
as described in the Networking section).
Note: you need to be careful if host services are configured to run
on all interfaces as by default thsi will
on all interfaces as this will include the jail interface - you should
sepcify the interface they run on in rc.conf (or other config files)
.. code-block:: shell