search

BastilleBSD / bastille

Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD.
https://bastillebsd.org
BSD 3-Clause "New" or "Revised" License
858 stars 139 forks source link

[ENHANCEMENT] Make automatic rdr rules work on servers with multiple IPv4 addresses #707

Open sveeke opened 5 months ago

sveeke commented 5 months ago

Is your feature request related to a problem? Please describe. My servers/jail hosts have multiple public IPv4 addresses and I can't seem to figure out how this can work properly with Bastille. If there is a better way than my hack, then please let me know 😄.

When Bastille creates the automatic rdr rules for ports that must be forwarded to a jail, the rule applies to all IP addresses, effectively killing all other services that run on the same port number on other IP addresses.

So after doing this:

# bastille rdr jail_name tcp 80 80
# bastille rdr jail_name tcp 443 443
# bastille rdr jail_name list
rdr pass on ix0 inet proto tcp from any to any port = 80 -> 10.111.2.1 port 80
rdr pass on ix0 inet proto tcp from any to any port = 443 -> 10.111.2.1 port 443

The created rules will also kill any other service running on ports 80 and 443 on any other IP address on the server.

Describe the solution you'd like To make it possible to bind Bastille jails to a single outgoing address (or two in the case of using both IPv4 and IPv6) so that Bastille's automatic rdr rules won't apply to all IP addresses on the server.

I hacked this myself by changing line 119 in rdr.sh from:

printf '%s\nrdr pass on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP" "$3" )

To:

printf '%s\nrdr pass on $%s inet proto %s from any to the.correct.ip.address port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP" "$3" )

So it should be possible to make this configurable.

Describe alternatives you've considered

Additional context Some relevant parts of my config.

# cat /usr/local/etc/bastille/bastille.conf
## Networking
bastille_network_loopback="bastille0"                                 ## default: "bastille0"
bastille_network_pf_ext_if="ext_if"                                   ## default: "ext_if"
bastille_network_pf_table="jails"                                     ## default: "jails"
bastille_network_shared=""                                            ## default: ""
bastille_network_gateway="the.correct.ip.address"                                           ## default: ""
bastille_network_gateway6=""                                          ## default: ""

# cat /etc/rc.conf
cloned_interfaces="lo1"
ifconfig_lo1_name="bastille0"

# cat /etc/pf.conf
ext_if="ix0"
table <jails> persist                   # bastille jail table
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"