hackacad/usr/local/share/bastille/setup.sh

#!/bin/sh
#
# SPDX-License-Identifier: BSD-3-Clause
#
# Copyright (c) 2018-2025, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
#   list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
#   this list of conditions and the following disclaimer in the documentation
#   and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
#   contributors may be used to endorse or promote products derived from
#   this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

. /usr/local/share/bastille/common.sh

usage() {
    error_exit "Usage: bastille setup [pf|network|zfs|vnet|bridge]"
}

# Check for too many args
if [ $# -gt 1 ]; then
    usage
fi

# Configure bastille loopback network interface
configure_loopback_interface() {
    if [ -z "$(sysrc -f ${BASTILLE_CONFIG} -n bastille_network_loopback)" ] || ! sysrc -n cloned_interfaces | grep -oq "lo1"; then
        info "Configuring bastille0 loopback interface"
        sysrc cloned_interfaces+=lo1
        sysrc ifconfig_lo1_name="bastille0"
        info "Bringing up new interface: [bastille0]"
        service netif cloneup
        sysrc -f "${BASTILLE_CONFIG}" bastille_network_loopback="bastille0"
        sysrc -f "${BASTILLE_CONFIG}" bastille_network_shared=""
        info "Loopback interface successfully configured: [bastille0]"
    else
        info "Loopback interface has already been configured: [bastille0]"
    fi
}

configure_shared_interface() {
    _interface_list="$(ifconfig -l)"
    _interface_count=0
    if [ -z "${_interface_list}" ]; then
        error_exit "Unable to detect interfaces, exiting."
    fi
    if [ -z "$(sysrc -f ${BASTILLE_CONFIG} -n bastille_network_shared)" ]; then
        info "Attempting to configure shared interface for bastille..."
        info "Listing available interfaces..."
        for _if in ${_interface_list}; do
            echo "[${_interface_count}] ${_if}"
            _if_num="${_if_num} [${_interface_count}]${_if}"
            _interface_count=$(expr ${_interface_count} + 1)
        done
        read -p "Please select the interface you would like to use: " _interface_choice
        if ! echo "${_interface_choice}" | grep -Eq "^[0-9]+$"; then
            error_exit "Invalid input number, aborting!"
        else
            _interface_select=$(echo "${_if_num}" | grep -wo "\[${_interface_choice}\][^ ]*" | sed 's/\[.*\]//g')
        fi
        # Adjust bastille.conf to reflect above choices
        sysrc -f "${BASTILLE_CONFIG}" bastille_network_loopback=""
        sysrc -f "${BASTILLE_CONFIG}" bastille_network_shared="${_interface_select}"
        info "Shared interface successfully configured: [${_interface_select}]"
    else
        info "Shared interface has already been configured: ["$(sysrc -f ${BASTILLE_CONFIG} -n bastille_network_shared)"]"
    fi

}

configure_bridge() {
    _bridge_name="bastillebridge"
    _interface_list="$(ifconfig -l)"
    _interface_count=0
    if [ -z "${_interface_list}" ]; then
        error_exit "Unable to detect interfaces, exiting."
    fi
    if ! ifconfig -g bridge | grep -oqw "${_bridge_name}"; then
        info "Configuring ${_bridge_name} bridge interface..."
        info "Listing available interfaces..."
        for _if in ${_interface_list}; do
            if ifconfig -g bridge | grep -oqw "${_if}" || ifconfig -g lo | grep -oqw "${_if}"; then
                continue
            else
                echo "[${_interface_count}] ${_if}"
                _if_num="${_if_num} [${_interface_count}]${_if}"
                _interface_count=$(expr ${_interface_count} + 1)
            fi
        done
        read -p "Please select the interface to attach the bridge to: " _interface_choice
        if ! echo "${_interface_choice}" | grep -Eq "^[0-9]+$"; then
            error_exit "Invalid input number, aborting!"
        else
            _interface_select=$(echo "${_if_num}" | grep -wo "\[${_interface_choice}\][^ ]*" | sed 's/\[.*\]//g')
        fi
        # Create bridge and persist on reboot
        ifconfig bridge0 create
        ifconfig bridge0 name bastillebridge
        ifconfig bastillebridge addm ${_interface_select} up
        sysrc cloned_interfaces+="bridge0"
        sysrc ifconfig_bridge0_name="bastillebridge"
        sysrc ifconfig_bastillebridge="addm ${_interface_select} up"

        info "Bridge interface successfully configured: [${_bridge_name}]"
    else
        info "Bridge has alread been configured: [${_bridge_name}]"
    fi
}

configure_vnet() {
    # Ensure jib script is in place for VNET jails
    if [ ! "$(command -v jib)" ]; then
        if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then
            install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
        fi
    fi
    # Create default VNET ruleset
    if [ ! -f /etc/devfs.rules ] || ! grep -oq "bastille_vnet=13" /etc/devfs.rules; then
        info "Creating bastille_vnet devfs.rules"
        cat << EOF > /etc/devfs.rules
[bastille_vnet=13]
add include \$devfsrules_hide_all
add include \$devfsrules_unhide_basic
add include \$devfsrules_unhide_login
add include \$devfsrules_jail
add include \$devfsrules_jail_vnet
add path 'bpf*' unhide
EOF
    else
        info "VNET has already been configured!"
    fi
}

# Configure pf firewall
configure_pf() {
# shellcheck disable=SC2154
if [ ! -f "${bastille_pf_conf}" ]; then
    # shellcheck disable=SC3043
    local ext_if
    ext_if=$(netstat -rn | awk '/default/ {print $4}' | head -n1)
    info "Determined default network interface: ($ext_if)"
    info "${bastille_pf_conf} does not exist: creating..."

    ## creating pf.conf
    cat << EOF > "${bastille_pf_conf}"
## generated by bastille setup
ext_if="$ext_if"

set block-policy return
scrub in on \$ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on \$ext_if from <jails> to any -> (\$ext_if:0)
rdr-anchor "rdr/*"

block in all
pass out quick keep state
antispoof for \$ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state
EOF
    sysrc pf_enable=YES
    warn "pf ruleset created, please review ${bastille_pf_conf} and enable it using 'service pf start'."
else
    info "PF has already been configured!"
fi
}

# Configure ZFS
configure_zfs() {
    if [ ! "$(kldstat -m zfs)" ]; then
        info "ZFS module not loaded; skipping..."
    elif sysrc -f ${BASTILLE_CONFIG} -n bastille_zfs_enable | grep -Eoq "([Y|y][E|e][S|s])"; then
        info "ZFS has already been configured!"
    else
        ## attempt to determine bastille_zroot from `zpool list`
        bastille_zroot=$(zpool list | grep -v NAME | awk '{print $1}')
        if [ "$(echo "${bastille_zroot}" | wc -l)" -gt 1 ]; then
          error_notify "Error: Multiple ZFS pools available:\n${bastille_zroot}"
          error_notify "Set desired pool using \"sysrc -f ${BASTILLE_CONFIG} bastille_zfs_zpool=ZPOOL_NAME\""
          error_exit "Don't forget to also enable ZFS using \"sysrc -f ${BASTILLE_CONFIG} bastille_zfs_enable=YES\""
        fi
        sysrc -f "${BASTILLE_CONFIG}" bastille_zfs_enable=YES
        sysrc -f "${BASTILLE_CONFIG}" bastille_zfs_zpool="${bastille_zroot}"
    fi
}

# Run all base functions (w/o vnet) if no args
if [ $# -eq 0 ]; then
    sysrc bastille_enable=YES
    configure_network
    configure_pf
    configure_zfs
fi

# Handle options.
case "$1" in
    -h|--help|help)
        usage
        ;;
    -p|pf|firewall)
        configure_pf
        ;;
    -n|-l|network|loopback)
        warn "[WARNING] Bastille only allows using either the 'loopback' or 'shared'"
        warn "interface to be configured any any given time. If you continue, the 'shared'"
        warn "interface will be disabled, and the 'loopback' interface will be used as default."
        read -p "Do you really want to continue setting up the loopback interface? [y|n]:" _answer
        case "${_answer}" in
            [Yy]|[Yy][Ee][Ss])
                configure_loopback_interface
                ;;
            [Nn]|[Nn][Oo])
                error_exit "Loopback interface setup cancelled."
                ;;
            *)
                error_exit "Invalid selection. Please answer 'y' or 'n'"
                ;;
        esac
        ;;
    -s|shared|ethernet)
        warn "[WARNING] Bastille only allows using either the 'loopback' or 'shared'"
        warn "interface to be configured any any given time. If you continue, the 'loopback'"
        warn "interface will be disabled, and the shared interface will be used as default."
        read -p "Do you really want to continue setting up the shared interface? [y|n]:" _answer
        case "${_answer}" in
            [Yy]|[Yy][Ee][Ss])
                configure_shared_interface
                ;;
            [Nn]|[Nn][Oo])
                error_exit "Shared interface setup cancelled."
                ;;
            *)
                error_exit "Invalid selection. Please answer 'y' or 'n'"
                ;;
        esac
        ;;
    -z|zfs|storage)
        configure_zfs
        ;;
    -v|vnet)
        configure_vnet
        ;;
    -b|bridge)
        configure_vnet
        configure_bridge
        ;;
esac
update copyright dates 2023-07-14 21:02:14 -06:00			`#!/bin/sh`
			`#`
Revert "Merge pull request #823 from JRGTH/bastille_setup_initial" This reverts commit acc7bb9739d67e781b6f9c830c0e29f9cd84de63, reversing changes made to 05dc2b8d6a371ce3930ce502150293c18d7d1bea. 2025-01-26 20:45:37 -05:00			`# SPDX-License-Identifier: BSD-3-Clause`
			`#`
Add SPDX license identifiers and update copyright years Added SPDX-License-Identifier to all scripts for better license clarity and compliance. Updated the copyright years from 2024 to 2025 in various files to reflect the current maintenance period. 2025-01-11 14:07:41 -05:00			`# Copyright (c) 2018-2025, Christer Edwards <christer.edwards@gmail.com>`
update copyright dates 2023-07-14 21:02:14 -06:00			`# All rights reserved.`
			`#`
			`# Redistribution and use in source and binary forms, with or without`
			`# modification, are permitted provided that the following conditions are met:`
			`#`
			`# * Redistributions of source code must retain the above copyright notice, this`
			`# list of conditions and the following disclaimer.`
			`#`
			`# * Redistributions in binary form must reproduce the above copyright notice,`
			`# this list of conditions and the following disclaimer in the documentation`
			`# and/or other materials provided with the distribution.`
			`#`
			`# * Neither the name of the copyright holder nor the names of its`
			`# contributors may be used to endorse or promote products derived from`
			`# this software without specific prior written permission.`
			`#`
			`# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"`
			`# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE`
			`# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE`
			`# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE`
			`# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL`
			`# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR`
			`# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER`
			`# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,`
			`# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE`
			`# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.`

			`. /usr/local/share/bastille/common.sh`

			`usage() {`
Update setup.sh 2025-04-22 12:59:38 -06:00			`error_exit "Usage: bastille setup [pf\|network\|zfs\|vnet\|bridge]"`
update copyright dates 2023-07-14 21:02:14 -06:00			`}`

Revert "Merge pull request #823 from JRGTH/bastille_setup_initial" This reverts commit acc7bb9739d67e781b6f9c830c0e29f9cd84de63, reversing changes made to 05dc2b8d6a371ce3930ce502150293c18d7d1bea. 2025-01-26 20:45:37 -05:00			`# Check for too many args`
update copyright dates 2023-07-14 21:02:14 -06:00			`if [ $# -gt 1 ]; then`
			`usage`
			`fi`

Revert "Merge pull request #823 from JRGTH/bastille_setup_initial" This reverts commit acc7bb9739d67e781b6f9c830c0e29f9cd84de63, reversing changes made to 05dc2b8d6a371ce3930ce502150293c18d7d1bea. 2025-01-26 20:45:37 -05:00			`# Configure bastille loopback network interface`
setup: Onlly allow loopback or shared interface 2025-04-22 13:25:44 -06:00			`configure_loopback_interface() {`
			`if [ -z "$(sysrc -f ${BASTILLE_CONFIG} -n bastille_network_loopback)" ] \|\| ! sysrc -n cloned_interfaces \| grep -oq "lo1"; then`
Update setup.sh 2025-04-22 12:59:38 -06:00			`info "Configuring bastille0 loopback interface"`
temporary setup command fix This is simply to avoid issues when the setup command might be run over an existing setup. It will check each setup subcommand and verify it has not already been configured before attempting to run the setup for the relevant setup step. This is only temporary, as we would like to get a much more advanced setup command integrated in this or below. #940 2025-04-21 20:38:33 -06:00			`sysrc cloned_interfaces+=lo1`
Update setup.sh 2025-04-22 12:59:38 -06:00			`sysrc ifconfig_lo1_name="bastille0"`
			`info "Bringing up new interface: [bastille0]"`
temporary setup command fix This is simply to avoid issues when the setup command might be run over an existing setup. It will check each setup subcommand and verify it has not already been configured before attempting to run the setup for the relevant setup step. This is only temporary, as we would like to get a much more advanced setup command integrated in this or below. #940 2025-04-21 20:38:33 -06:00			`service netif cloneup`
setup: Onlly allow loopback or shared interface 2025-04-22 13:25:44 -06:00			`sysrc -f "${BASTILLE_CONFIG}" bastille_network_loopback="bastille0"`
			`sysrc -f "${BASTILLE_CONFIG}" bastille_network_shared=""`
Update setup.sh 2025-04-22 12:59:38 -06:00			`info "Loopback interface successfully configured: [bastille0]"`
temporary setup command fix This is simply to avoid issues when the setup command might be run over an existing setup. It will check each setup subcommand and verify it has not already been configured before attempting to run the setup for the relevant setup step. This is only temporary, as we would like to get a much more advanced setup command integrated in this or below. #940 2025-04-21 20:38:33 -06:00			`else`
Update setup.sh 2025-04-22 12:59:38 -06:00			`info "Loopback interface has already been configured: [bastille0]"`
temporary setup command fix This is simply to avoid issues when the setup command might be run over an existing setup. It will check each setup subcommand and verify it has not already been configured before attempting to run the setup for the relevant setup step. This is only temporary, as we would like to get a much more advanced setup command integrated in this or below. #940 2025-04-21 20:38:33 -06:00			`fi`
update copyright dates 2023-07-14 21:02:14 -06:00			`}`

setup: Onlly allow loopback or shared interface 2025-04-22 13:25:44 -06:00			`configure_shared_interface() {`
			`_interface_list="$(ifconfig -l)"`
			`_interface_count=0`
			`if [ -z "${_interface_list}" ]; then`
			`error_exit "Unable to detect interfaces, exiting."`
			`fi`
			`if [ -z "$(sysrc -f ${BASTILLE_CONFIG} -n bastille_network_shared)" ]; then`
			`info "Attempting to configure shared interface for bastille..."`
			`info "Listing available interfaces..."`
			`for _if in ${_interface_list}; do`
			`echo "[${_interface_count}] ${_if}"`
			`_if_num="${_if_num} [${_interface_count}]${_if}"`
			`_interface_count=$(expr ${_interface_count} + 1)`
			`done`
			`read -p "Please select the interface you would like to use: " _interface_choice`
			`if ! echo "${_interface_choice}" \| grep -Eq "^[0-9]+$"; then`
			`error_exit "Invalid input number, aborting!"`
			`else`
			`_interface_select=$(echo "${_if_num}" \| grep -wo "\[${_interface_choice}\][^ ]" \| sed 's/\[.\]//g')`
			`fi`
			`# Adjust bastille.conf to reflect above choices`
			`sysrc -f "${BASTILLE_CONFIG}" bastille_network_loopback=""`
			`sysrc -f "${BASTILLE_CONFIG}" bastille_network_shared="${_interface_select}"`
			`info "Shared interface successfully configured: [${_interface_select}]"`
			`else`
			`info "Shared interface has already been configured: ["$(sysrc -f ${BASTILLE_CONFIG} -n bastille_network_shared)"]"`
			`fi`

			`}`

setup: Add option to create a bridge for bastille 2025-04-22 12:46:36 -06:00			`configure_bridge() {`
			`_bridge_name="bastillebridge"`
			`_interface_list="$(ifconfig -l)"`
			`_interface_count=0`
			`if [ -z "${_interface_list}" ]; then`
			`error_exit "Unable to detect interfaces, exiting."`
			`fi`
			`if ! ifconfig -g bridge \| grep -oqw "${_bridge_name}"; then`
			`info "Configuring ${_bridge_name} bridge interface..."`
			`info "Listing available interfaces..."`
			`for _if in ${_interface_list}; do`
			`if ifconfig -g bridge \| grep -oqw "${_if}" \|\| ifconfig -g lo \| grep -oqw "${_if}"; then`
			`continue`
			`else`
			`echo "[${_interface_count}] ${_if}"`
			`_if_num="${_if_num} [${_interface_count}]${_if}"`
			`_interface_count=$(expr ${_interface_count} + 1)`
			`fi`
			`done`
			`read -p "Please select the interface to attach the bridge to: " _interface_choice`
			`if ! echo "${_interface_choice}" \| grep -Eq "^[0-9]+$"; then`
			`error_exit "Invalid input number, aborting!"`
			`else`
			`_interface_select=$(echo "${_if_num}" \| grep -wo "\[${_interface_choice}\][^ ]" \| sed 's/\[.\]//g')`
			`fi`
			`# Create bridge and persist on reboot`
			`ifconfig bridge0 create`
			`ifconfig bridge0 name bastillebridge`
			`ifconfig bastillebridge addm ${_interface_select} up`
			`sysrc cloned_interfaces+="bridge0"`
			`sysrc ifconfig_bridge0_name="bastillebridge"`
			`sysrc ifconfig_bastillebridge="addm ${_interface_select} up"`

Update setup.sh 2025-04-22 12:59:38 -06:00			`info "Bridge interface successfully configured: [${_bridge_name}]"`
setup: Add option to create a bridge for bastille 2025-04-22 12:46:36 -06:00			`else`
			`info "Bridge has alread been configured: [${_bridge_name}]"`
			`fi`
			`}`
add support for bastille_vnet devfs.rules in bastille setup 2023-11-25 17:19:57 -07:00
setup: Add option to create a bridge for bastille 2025-04-22 12:46:36 -06:00			`configure_vnet() {`
			`# Ensure jib script is in place for VNET jails`
			`if [ ! "$(command -v jib)" ]; then`
			`if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then`
			`install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib`
			`fi`
			`fi`
			`# Create default VNET ruleset`
Update setup.sh 2025-04-22 12:55:02 -06:00			`if [ ! -f /etc/devfs.rules ] \|\| ! grep -oq "bastille_vnet=13" /etc/devfs.rules; then`
setup: Add option to create a bridge for bastille 2025-04-22 12:46:36 -06:00			`info "Creating bastille_vnet devfs.rules"`
			`cat << EOF > /etc/devfs.rules`
add support for bastille_vnet devfs.rules in bastille setup 2023-11-25 17:19:57 -07:00			`[bastille_vnet=13]`
			`add include \$devfsrules_hide_all`
			`add include \$devfsrules_unhide_basic`
			`add include \$devfsrules_unhide_login`
			`add include \$devfsrules_jail`
			`add include \$devfsrules_jail_vnet`
			`add path 'bpf*' unhide`
			`EOF`
temporary setup command fix This is simply to avoid issues when the setup command might be run over an existing setup. It will check each setup subcommand and verify it has not already been configured before attempting to run the setup for the relevant setup step. This is only temporary, as we would like to get a much more advanced setup command integrated in this or below. #940 2025-04-21 20:38:33 -06:00			`else`
			`info "VNET has already been configured!"`
add support for bastille_vnet devfs.rules in bastille setup 2023-11-25 17:19:57 -07:00			`fi`
update copyright dates 2023-07-14 21:02:14 -06:00			`}`

Revert "Merge pull request #823 from JRGTH/bastille_setup_initial" This reverts commit acc7bb9739d67e781b6f9c830c0e29f9cd84de63, reversing changes made to 05dc2b8d6a371ce3930ce502150293c18d7d1bea. 2025-01-26 20:45:37 -05:00			`# Configure pf firewall`
update copyright dates 2023-07-14 21:02:14 -06:00			`configure_pf() {`
Revert "Merge pull request #823 from JRGTH/bastille_setup_initial" This reverts commit acc7bb9739d67e781b6f9c830c0e29f9cd84de63, reversing changes made to 05dc2b8d6a371ce3930ce502150293c18d7d1bea. 2025-01-26 20:45:37 -05:00			`# shellcheck disable=SC2154`
			`if [ ! -f "${bastille_pf_conf}" ]; then`
			`# shellcheck disable=SC3043`
			`local ext_if`
			`ext_if=$(netstat -rn \| awk '/default/ {print $4}' \| head -n1)`
			`info "Determined default network interface: ($ext_if)"`
			`info "${bastille_pf_conf} does not exist: creating..."`

			`## creating pf.conf`
			`cat << EOF > "${bastille_pf_conf}"`
			`## generated by bastille setup`
update copyright dates 2023-07-14 21:02:14 -06:00			`ext_if="$ext_if"`

			`set block-policy return`
			`scrub in on \$ext_if all fragment reassemble`
			`set skip on lo`

			`table <jails> persist`
			`nat on \$ext_if from <jails> to any -> (\$ext_if:0)`
			`rdr-anchor "rdr/*"`

			`block in all`
			`pass out quick keep state`
			`antispoof for \$ext_if inet`
			`pass in inet proto tcp from any to any port ssh flags S/SA keep state`
			`EOF`
Revert "Merge pull request #823 from JRGTH/bastille_setup_initial" This reverts commit acc7bb9739d67e781b6f9c830c0e29f9cd84de63, reversing changes made to 05dc2b8d6a371ce3930ce502150293c18d7d1bea. 2025-01-26 20:45:37 -05:00			`sysrc pf_enable=YES`
			`warn "pf ruleset created, please review ${bastille_pf_conf} and enable it using 'service pf start'."`
			`else`
temporary setup command fix This is simply to avoid issues when the setup command might be run over an existing setup. It will check each setup subcommand and verify it has not already been configured before attempting to run the setup for the relevant setup step. This is only temporary, as we would like to get a much more advanced setup command integrated in this or below. #940 2025-04-21 20:38:33 -06:00			`info "PF has already been configured!"`
Revert "Merge pull request #823 from JRGTH/bastille_setup_initial" This reverts commit acc7bb9739d67e781b6f9c830c0e29f9cd84de63, reversing changes made to 05dc2b8d6a371ce3930ce502150293c18d7d1bea. 2025-01-26 20:45:37 -05:00			`fi`
update copyright dates 2023-07-14 21:02:14 -06:00			`}`

Revert "Merge pull request #823 from JRGTH/bastille_setup_initial" This reverts commit acc7bb9739d67e781b6f9c830c0e29f9cd84de63, reversing changes made to 05dc2b8d6a371ce3930ce502150293c18d7d1bea. 2025-01-26 20:45:37 -05:00			`# Configure ZFS`
update copyright dates 2023-07-14 21:02:14 -06:00			`configure_zfs() {`
Revert "Merge pull request #823 from JRGTH/bastille_setup_initial" This reverts commit acc7bb9739d67e781b6f9c830c0e29f9cd84de63, reversing changes made to 05dc2b8d6a371ce3930ce502150293c18d7d1bea. 2025-01-26 20:45:37 -05:00			`if [ ! "$(kldstat -m zfs)" ]; then`
			`info "ZFS module not loaded; skipping..."`
temporary setup command fix This is simply to avoid issues when the setup command might be run over an existing setup. It will check each setup subcommand and verify it has not already been configured before attempting to run the setup for the relevant setup step. This is only temporary, as we would like to get a much more advanced setup command integrated in this or below. #940 2025-04-21 20:38:33 -06:00			`elif sysrc -f ${BASTILLE_CONFIG} -n bastille_zfs_enable \| grep -Eoq "([Y\|y][E\|e][S\|s])"; then`
			`info "ZFS has already been configured!"`
Initial 'bastille setup' cmd rewrite/enhancements This PR will add the Initial 'bastille setup' command rewrite and enhancements, includes the ZFS activation helper, also further enhancements will be added accordingly. Further testing/bug reporting welcome. 2025-01-21 05:55:37 -04:00			`else`
Revert "Merge pull request #823 from JRGTH/bastille_setup_initial" This reverts commit acc7bb9739d67e781b6f9c830c0e29f9cd84de63, reversing changes made to 05dc2b8d6a371ce3930ce502150293c18d7d1bea. 2025-01-26 20:45:37 -05:00			## attempt to determine bastille_zroot from `zpool list`
			`bastille_zroot=$(zpool list \| grep -v NAME \| awk '{print $1}')`
			`if [ "$(echo "${bastille_zroot}" \| wc -l)" -gt 1 ]; then`
			`error_notify "Error: Multiple ZFS pools available:\n${bastille_zroot}"`
setup: fix to use the new BASTILLE_CONFIG variable This helps restore the autoconfiguration for ZFS 2025-04-19 12:21:08 -05:00			`error_notify "Set desired pool using \"sysrc -f ${BASTILLE_CONFIG} bastille_zfs_zpool=ZPOOL_NAME\""`
			`error_exit "Don't forget to also enable ZFS using \"sysrc -f ${BASTILLE_CONFIG} bastille_zfs_enable=YES\""`
Initial 'bastille setup' cmd rewrite/enhancements This PR will add the Initial 'bastille setup' command rewrite and enhancements, includes the ZFS activation helper, also further enhancements will be added accordingly. Further testing/bug reporting welcome. 2025-01-21 05:55:37 -04:00			`fi`
setup: fix to use the new BASTILLE_CONFIG variable This helps restore the autoconfiguration for ZFS 2025-04-19 12:21:08 -05:00			`sysrc -f "${BASTILLE_CONFIG}" bastille_zfs_enable=YES`
			`sysrc -f "${BASTILLE_CONFIG}" bastille_zfs_zpool="${bastille_zroot}"`
Initial 'bastille setup' cmd rewrite/enhancements This PR will add the Initial 'bastille setup' command rewrite and enhancements, includes the ZFS activation helper, also further enhancements will be added accordingly. Further testing/bug reporting welcome. 2025-01-21 05:55:37 -04:00			`fi`
			`}`

Revert "Merge pull request #823 from JRGTH/bastille_setup_initial" This reverts commit acc7bb9739d67e781b6f9c830c0e29f9cd84de63, reversing changes made to 05dc2b8d6a371ce3930ce502150293c18d7d1bea. 2025-01-26 20:45:37 -05:00			`# Run all base functions (w/o vnet) if no args`
			`if [ $# -eq 0 ]; then`
			`sysrc bastille_enable=YES`
			`configure_network`
			`configure_pf`
			`configure_zfs`
			`fi`
Initial 'bastille setup' cmd rewrite/enhancements This PR will add the Initial 'bastille setup' command rewrite and enhancements, includes the ZFS activation helper, also further enhancements will be added accordingly. Further testing/bug reporting welcome. 2025-01-21 05:55:37 -04:00
setup: More fixes 2025-04-22 11:16:25 -06:00			`# Handle options.`
Revert "Merge pull request #823 from JRGTH/bastille_setup_initial" This reverts commit acc7bb9739d67e781b6f9c830c0e29f9cd84de63, reversing changes made to 05dc2b8d6a371ce3930ce502150293c18d7d1bea. 2025-01-26 20:45:37 -05:00			`case "$1" in`
setup: More fixes 2025-04-22 11:16:25 -06:00			`-h\|--help\|help)`
			`usage`
			`;;`
			`-p\|pf\|firewall)`
			`configure_pf`
			`;;`
			`-n\|-l\|network\|loopback)`
setup: Onlly allow loopback or shared interface 2025-04-22 13:25:44 -06:00			`warn "[WARNING] Bastille only allows using either the 'loopback' or 'shared'"`
			`warn "interface to be configured any any given time. If you continue, the 'shared'"`
			`warn "interface will be disabled, and the 'loopback' interface will be used as default."`
			`read -p "Do you really want to continue setting up the loopback interface? [y\|n]:" _answer`
			`case "${_answer}" in`
			`[Yy]\|[Yy][Ee][Ss])`
			`configure_loopback_interface`
			`;;`
			`[Nn]\|[Nn][Oo])`
			`error_exit "Loopback interface setup cancelled."`
			`;;`
			`*)`
			`error_exit "Invalid selection. Please answer 'y' or 'n'"`
			`;;`
			`esac`
			`;;`
			`-s\|shared\|ethernet)`
			`warn "[WARNING] Bastille only allows using either the 'loopback' or 'shared'"`
			`warn "interface to be configured any any given time. If you continue, the 'loopback'"`
			`warn "interface will be disabled, and the shared interface will be used as default."`
			`read -p "Do you really want to continue setting up the shared interface? [y\|n]:" _answer`
			`case "${_answer}" in`
			`[Yy]\|[Yy][Ee][Ss])`
			`configure_shared_interface`
			`;;`
			`[Nn]\|[Nn][Oo])`
			`error_exit "Shared interface setup cancelled."`
			`;;`
			`*)`
			`error_exit "Invalid selection. Please answer 'y' or 'n'"`
			`;;`
			`esac`
setup: More fixes 2025-04-22 11:16:25 -06:00			`;;`
			`-z\|zfs\|storage)`
			`configure_zfs`
			`;;`
setup: Add option to create a bridge for bastille 2025-04-22 12:46:36 -06:00			`-v\|vnet)`
setup: More fixes 2025-04-22 11:16:25 -06:00			`configure_vnet`
			`;;`
setup: Add option to create a bridge for bastille 2025-04-22 12:46:36 -06:00			`-b\|bridge)`
Update setup.sh 2025-04-22 12:48:45 -06:00			`configure_vnet`
setup: Add option to create a bridge for bastille 2025-04-22 12:46:36 -06:00			`configure_bridge`
			`;;`
update copyright dates 2023-07-14 21:02:14 -06:00			`esac`