From e408254448f0d1f64e720bef49fb89b7ea088305 Mon Sep 17 00:00:00 2001 From: pc Date: Sat, 1 Feb 2020 16:06:13 +0000 Subject: [PATCH] Update README --- README.md | 48 ++++++++++++++++++++++++++++++- docs/chapters/subcommands/rdr.rst | 3 +- 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 9e43fee6..8ea4fc86 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,7 @@ Available Commands: import Import a specified container. list List containers (running and stopped). pkg Manipulate binary packages within targeted container(s). See pkg(8). + rdr Redirect host port to container port. restart Restart a running container. service Manage services within targeted container(s). start Start a stopped container. @@ -117,13 +118,21 @@ set skip on lo table persist nat on $ext_if from to any -> ($ext_if) -## rdr example +## static rdr example ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45 +# Enable dynamic rdr (see below) +rdr-anchor "rdr/*" + block in all pass out quick modulate state antispoof for $ext_if inet pass in inet proto tcp from any to any port ssh flags S/SA keep state + +# make sure you also open up ports that you are going to use for dynamic rdr +# pass in inet proto tcp from any to any port : flags S/SA keep state +# pass in inet proto udp from any to any port : flags S/SA keep state + ``` * Make sure to change the `ext_if` variable to match your host system interface. @@ -150,6 +159,21 @@ container at `10.17.89.45`. Finally, enable and (re)start the firewall: + ## dynamic rdr anchor (see below) + rdr-anchor "rdr/*" + +The `rdr-anchor "rdr/*"` anables dynamic rdr rules to be setup using the +`bastille rdr` command at runtime - eg. + + bastille rdr --tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail + bastille rdr --udp 2053 53 # Same for udp + bastille rdr --list # List dynamic rdr rules + bastille rdr --clear # Clear dynamic rdr rules + + Note that if you are rediirecting ports where the host is also listening + (eg. ssh) you should make sure that the host service is not listening on + the cloned interface - eg. for ssh set sshd_flags in rc.conf + ```shell ishmael ~ # sysrc pf_enable="YES" ishmael ~ # service pf restart @@ -722,6 +746,28 @@ ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf /tmp/resolv.conf-cf -> /usr/local/bastille/jails/unbound0/root/etc/resolv.conf ``` +bastille-rdr +------------ + +`bastille rdr` allows yiou to configure dynamic rdr rules for your containers +without modifying pf.conf (assuming you are using the `bastille0` interface +for a private network and have enabled `rdr-anchor 'rdr/*'` in /etc/pf.conf +as described in the Networking section). + +```shell + # bastille rdr --help + Usage: bastille rdr TARGET [--clear] | [--list] | [--tcp ] | [--udp ] + # bastille rdr dev1 --tcp 2001 22 + # bastille rdr dev1 --list + rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22 + # bastille rdr dev1 --udp 2053 53 + # bastille rdr dev1 --list + rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22 + rdr on em0 inet proto udp from any to any port = 2053 -> 10.17.89.1 port 53 + # bastille rdr dev1 --clear + nat cleared +``` + bastille update --------------- The `update` command targets a release instead of a container. Because every diff --git a/docs/chapters/subcommands/rdr.rst b/docs/chapters/subcommands/rdr.rst index 306a58a7..ddb8fccb 100644 --- a/docs/chapters/subcommands/rdr.rst +++ b/docs/chapters/subcommands/rdr.rst @@ -8,7 +8,8 @@ for a private network and have enabled `rdr-anchor 'rdr/*'` in /etc/pf.conf as described in the Networking section). Note: you need to be careful if host services are configured to run -on all interfaces as by default thsi will +on all interfaces as this will include the jail interface - you should +sepcify the interface they run on in rc.conf (or other config files) .. code-block:: shell