Merge pull request #75 from cedwards/firewall

0.5.20191128 release
2019-11-28 09:23:13 -07:00 · 2019-11-28 09:21:13 -07:00 · 2019-11-25 21:44:55 -07:00 · 2019-11-25 21:44:23 -07:00 · 2019-11-25 17:46:00 -07:00 · 2019-11-25 17:45:17 -07:00
9 changed files with 76 additions and 35 deletions
--- a/21
+++ b/21
@@ -0,0 +1,21 @@
 .PHONY: install
 install:
 	@echo "Installing Bastille"
 	@echo
 	@cp -av usr /
 	@echo
 	@echo "This method is for testing / development."
 .PHONY: uninstall
 uninstall:
 	@echo "Removing Bastille command"
 	@rm -vf /usr/local/bin/bastille
 	@echo
 	@echo "Removing Bastille sub-commands"
 	@rm -rvf /usr/local/share/bastille
 	@echo
 	@echo "removing configuration file"
 	@rm -rvf /usr/local/etc/bastille
 	@echo
 	@echo "removing startup script"
 	@rm -vf /usr/local/etc/rc.d/bastille
--- a/README.md
+++ b/README.md
@@ -21,12 +21,18 @@ portsnap fetch auto
 make -C /usr/ports/sysutils/bastille install clean
 ```
 **Git**
 ```shell
 git clone https://github.com/BastilleBSD/bastille.git
 cd bastille
 make install
 ```
 **enable at boot**
 ```shell
 sysrc bastille_enable=YES
 ```
 Basic Usage
 -----------
 ```shell
@@ -64,12 +70,10 @@ Use "bastille command -h|--help" for more information about a command.
 ```
 ## 0.5-beta
 This document outlines the basic usage of the Bastille container management
 framework. This release is still considered beta.
 Network Requirements
 ====================
 Several networking options can be performed regarding the user needs.  Basic
@@ -94,15 +98,7 @@ First, create the loopback interface:
 ```shell
 ishmael ~ # sysrc cloned_interfaces+=lo1
 ishmael ~ # sysrc ifconfig_lo1_name="bastille0"
 ishmael ~ # sysrc ifconfig_bastille0_aliases="inet 10.17.89.1/32"
 ishmael ~ # service netif cloneup
 ishmael ~ # ifconfig bastille0 inet 10.17.89.1/32
 ```
 Second, enable the firewall:
 ```shell
 ishmael ~ # sysrc pf_enable="YES"
 ```
 Create the firewall config, or merge as necessary.
@@ -114,9 +110,10 @@ ext_if="vtnet0"
 set block-policy return
 scrub in on $ext_if all fragment reassemble
 set skip on lo
-nat on $ext_if from bastille0:network to any -> ($ext_if)
+
 table <jails> persist
 nat on $ext_if from <jails> to any -> ($ext_if)
 ## rdr example
 ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
@@ -135,7 +132,8 @@ Note: if you have an existing firewall, the key lines for in/out traffic to
 containers are:
 ```
-nat on $ext_if from bastille0:network to any -> ($ext_if)
+table <jails> persist
 nat on $ext_if from <jails> to any -> ($ext_if)
 ## rdr example
 ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
@@ -148,9 +146,10 @@ The `rdr pass ...` will redirect traffic from the host firewall on port X to
 the ip of container Y. The example shown redirects web traffic (80 & 443) to the
 container at `10.17.89.45`.
-Finally, start up the firewall:
+Finally, enable and (re)start the firewall:
 ```shell
 ishmael ~ # sysrc pf_enable="YES"
 ishmael ~ # service pf restart
 ```
--- a/docs/chapters/installation.rst
+++ b/docs/chapters/installation.rst
@@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at
 `sysutils/bastille`. Binary packages available in `quarterly` and `latest`
 repositories.
-Current version is `0.5.20191125`.
+Current version is `0.5.20191128`.
 To install from the FreeBSD package repository:
@@ -28,3 +28,17 @@ ports
 .. code-block:: shell
  make -C /usr/ports/sysutils/bastille install clean
 GIT
 ---
 .. code-block:: shell
  git clone https://github.com/BastilleBSD/bastille.git
  cd bastille
  make install
 This method will install the latest files from GitHub directly onto your
 system. It is verbose about the files it installs (for later removal), and also
 has a `make uninstall` target.
--- a/docs/chapters/networking.rst
+++ b/docs/chapters/networking.rst
@@ -81,7 +81,6 @@ First, create the loopback interface:
  ishmael ~ # sysrc cloned_interfaces+=lo1
  ishmael ~ # sysrc ifconfig_lo1_name="bastille0"
  ishmael ~ # service netif cloneup
  ishmael ~ # ifconfig bastille0 inet 10.17.89.10
 Second, enable the firewall:
@@ -99,9 +98,10 @@ Create the firewall rules:
  set block-policy return
  scrub in on $ext_if all fragment reassemble
  set skip on lo
-  nat on $ext_if from bastille0:network to any -> ($ext_if)
+
  table <jails> persist
  nat on $ext_if from <jails> to any -> ($ext_if)
  ## rdr example
  ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
@@ -119,7 +119,7 @@ to containers are:
 .. code-block:: shell
-  nat on $ext_if from bastille0:network to any -> ($ext_if)
+  nat on $ext_if from <jails> to any -> ($ext_if)
  ## rdr example
  ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -12,9 +12,9 @@ copyright = '2018-2019, Christer Edwards'
 author = 'Christer Edwards'
 # The short X.Y version
-version = '0.5.20191125'
+version = '0.5.20191128'
 # The full version, including alpha/beta/rc tags
-release = '0.5.20191125-beta'
+release = '0.5.20191128-beta'
 # -- General configuration ---------------------------------------------------
--- a/usr/local/bin/bastille
+++ b/usr/local/bin/bastille
@@ -28,6 +28,8 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
 ## root check first.
 bastille_root_check() {
    if [ $(id -u) -ne 0 ]; then
@@ -67,7 +69,7 @@ bastille_perms_check
 . /usr/local/etc/bastille/bastille.conf
 ## version
-BASTILLE_VERSION="0.5.20191125RC"
+BASTILLE_VERSION="0.5.20191128"
 usage() {
    cat << EOF
--- a/usr/local/share/bastille/create.sh
+++ b/usr/local/share/bastille/create.sh
@@ -71,17 +71,21 @@ validate_netif() {
 }
 validate_netconf() {
 	if [ -n "${bastille_jail_loopback}" ] && [ -n "${bastille_jail_interface}" ] && [ -n "${bastille_jail_external}" ]; then
        echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
        exit 1
    fi
    if [ ! -z "${bastille_jail_external}" ]; then
        break
-    elif [ ! -z ${bastille_jail_loopback} ] && [ -z ${bastille_jail_external} ]; then
+    elif [ ! -z "${bastille_jail_loopback}" ] && [ -z "${bastille_jail_external}" ]; then
        if [ -z "${bastille_jail_interface}" ]; then
            echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
            exit 1
        fi
-    elif [ -z ${bastille_jail_loopback} ] && [ ! -z ${bastille_jail_interface} ]; then
+    elif [ -z "${bastille_jail_loopback}" ] && [ ! -z "${bastille_jail_interface}" ]; then
        echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
        exit 1
-    elif [ -z ${bastille_jail_external} ]; then
+    elif [ -z "${bastille_jail_external}" ]; then
        echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
        exit 1
    fi
--- a/usr/local/share/bastille/start.sh
+++ b/usr/local/share/bastille/start.sh
@@ -51,10 +51,10 @@ TARGET="${1}"
 shift
 if [ "${TARGET}" = 'ALL' ]; then
-    JAILS=$(/usr/local/bin/bastille list jails)
+    JAILS=$(bastille list jails)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(/usr/local/bin/bastille list jails | grep -w "${TARGET}")
+    JAILS=$(bastille list jails | grep -w "${TARGET}")
 fi
 for _jail in ${JAILS}; do
@@ -67,9 +67,9 @@ for _jail in ${JAILS}; do
        echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
        jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail}
-        ## update ${bastille_jail_loopback}:network with added/removed addresses
+        ## add ip4.addr to firewall table:jails
        if [ ! -z ${bastille_jail_loopback} ]; then
-            pfctl -f /etc/pf.conf
+            pfctl -q -t jails -T add $(jls -j ${_jail} ip4.addr)
        fi
    fi
    echo
--- a/usr/local/share/bastille/stop.sh
+++ b/usr/local/share/bastille/stop.sh
@@ -64,13 +64,14 @@ for _jail in ${JAILS}; do
    ## test if running
    elif [ $(jls name | grep -w "${_jail}") ]; then
        ## remove ip4.addr from firewall table:jails
        if [ ! -z ${bastille_jail_loopback} ]; then
            pfctl -q -t jails -T delete $(jls -j ${_jail} ip4.addr)
        fi
        ## stop container
        echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
        jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
        ## update ${bastille_jail_loopback}:network with added/removed addresses
        if [ ! -z ${bastille_jail_loopback} ]; then
            pfctl -f /etc/pf.conf
        fi
    fi
    echo
 done
Author	SHA1	Message	Date
Christer Edwards	29565b22c8	Merge pull request #75 from cedwards/firewall 0.5.20191128 release	2019-11-28 09:23:13 -07:00
Christer Edwards	8414865355	0.5.20191128 release	2019-11-28 09:21:13 -07:00
Christer Edwards	90c0c1d4c0	Merge pull request #74 from cedwards/improvements updating version string	2019-11-25 21:44:55 -07:00
Christer Edwards	80412679a7	updating version string	2019-11-25 21:44:23 -07:00
Christer Edwards	61eb7f5625	Merge pull request #73 from cedwards/improvements quieting pfctl output in start/stop	2019-11-25 17:46:00 -07:00
Christer Edwards	fbb99470ec	quieting pfctl output in start/stop	2019-11-25 17:45:17 -07:00
Christer Edwards	f2a968a065	Merge pull request #71 from cedwards/improvements Improvements to firewalling for loopback containers	2019-11-25 17:13:32 -07:00
Christer Edwards	0a708c3dc7	clarification to README on firewall settings	2019-11-25 17:12:27 -07:00
Christer Edwards	f6653a6a48	Merge pull request #72 from JRGTH/master Additional network config checks	2019-11-25 17:07:46 -07:00
Jose	03597e1489	Additional network config checks	2019-11-25 20:02:56 -04:00
Christer Edwards	f36744f2a0	accidentally a word	2019-11-25 15:41:11 -07:00
Christer Edwards	43da7b25a1	standardizing comments	2019-11-25 15:40:10 -07:00
Christer Edwards	b5c8330502	add PATH; improve firewall	2019-11-25 15:38:40 -07:00