Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ENHANCEMENT] Make automatic rdr rules work on servers with multiple IPv4 addresses #707

Open
sveeke opened this issue Jun 24, 2024 · 0 comments
Open

[ENHANCEMENT] Make automatic rdr rules work on servers with multiple IPv4 addresses #707

sveeke opened this issue Jun 24, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@sveeke
Copy link

sveeke commented Jun 24, 2024

Is your feature request related to a problem? Please describe.
My servers/jail hosts have multiple public IPv4 addresses and I can't seem to figure out how this can work properly with Bastille. If there is a better way than my hack, then please let me know 😄.

When Bastille creates the automatic rdr rules for ports that must be forwarded to a jail, the rule applies to all IP addresses, effectively killing all other services that run on the same port number on other IP addresses.

So after doing this:

# bastille rdr jail_name tcp 80 80
# bastille rdr jail_name tcp 443 443
# bastille rdr jail_name list
rdr pass on ix0 inet proto tcp from any to any port = 80 -> 10.111.2.1 port 80
rdr pass on ix0 inet proto tcp from any to any port = 443 -> 10.111.2.1 port 443

The created rules will also kill any other service running on ports 80 and 443 on any other IP address on the server.

Describe the solution you'd like
To make it possible to bind Bastille jails to a single outgoing address (or two in the case of using both IPv4 and IPv6) so that Bastille's automatic rdr rules won't apply to all IP addresses on the server.

I hacked this myself by changing line 119 in rdr.sh from:

printf '%s\nrdr pass on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP" "$3" )

To:

printf '%s\nrdr pass on $%s inet proto %s from any to the.correct.ip.address port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP" "$3" )

So it should be possible to make this configurable.

Describe alternatives you've considered

  • Make the more specific rdr rules myself (ignoring Bastille's feature to automatically create them), but I'm not 100% sure how this would work (I can't seem to make it work at least).

Additional context
Some relevant parts of my config.

# cat /usr/local/etc/bastille/bastille.conf
## Networking
bastille_network_loopback="bastille0"                                 ## default: "bastille0"
bastille_network_pf_ext_if="ext_if"                                   ## default: "ext_if"
bastille_network_pf_table="jails"                                     ## default: "jails"
bastille_network_shared=""                                            ## default: ""
bastille_network_gateway="the.correct.ip.address"                                           ## default: ""
bastille_network_gateway6=""                                          ## default: ""

# cat /etc/rc.conf
cloned_interfaces="lo1"
ifconfig_lo1_name="bastille0"

# cat /etc/pf.conf
ext_if="ix0"
table <jails> persist                   # bastille jail table
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"
@sveeke sveeke added the enhancement New feature or request label Jun 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sveeke