Merge pull request #75 from cedwards/firewall

0.5.20191128 release
2019-11-28 09:23:13 -07:00 · 2019-11-28 09:21:13 -07:00 · 2019-11-25 21:44:55 -07:00 · 2019-11-25 21:44:23 -07:00 · 2019-11-25 17:46:00 -07:00 · 2019-11-25 17:45:17 -07:00
9 changed files with 76 additions and 35 deletions
--- a/21
+++ b/21
@@ -0,0 +1,21 @@
+.PHONY: install
+install:
+	@echo "Installing Bastille"
+	@echo
+	@cp -av usr /
+	@echo
+	@echo "This method is for testing / development."
+
+.PHONY: uninstall
+uninstall:
+	@echo "Removing Bastille command"
+	@rm -vf /usr/local/bin/bastille
+	@echo
+	@echo "Removing Bastille sub-commands"
+	@rm -rvf /usr/local/share/bastille
+	@echo
+	@echo "removing configuration file"
+	@rm -rvf /usr/local/etc/bastille
+	@echo
+	@echo "removing startup script"
+	@rm -vf /usr/local/etc/rc.d/bastille
--- a/README.md
+++ b/README.md
@@ -21,12 +21,18 @@ portsnap fetch auto
 make -C /usr/ports/sysutils/bastille install clean
 ```

+**Git**
+```shell
+git clone https://github.com/BastilleBSD/bastille.git
+cd bastille
+make install
+```
+
 **enable at boot**
 ```shell
 sysrc bastille_enable=YES
 ```

-
 Basic Usage
 -----------
 ```shell
@@ -64,12 +70,10 @@ Use "bastille command -h|--help" for more information about a command.

 ```

-
 ## 0.5-beta
 This document outlines the basic usage of the Bastille container management
 framework. This release is still considered beta.

-
 Network Requirements
 ====================
 Several networking options can be performed regarding the user needs.  Basic
@@ -94,15 +98,7 @@ First, create the loopback interface:
 ```shell
 ishmael ~ # sysrc cloned_interfaces+=lo1
 ishmael ~ # sysrc ifconfig_lo1_name="bastille0"
-ishmael ~ # sysrc ifconfig_bastille0_aliases="inet 10.17.89.1/32"
 ishmael ~ # service netif cloneup
-ishmael ~ # ifconfig bastille0 inet 10.17.89.1/32
-```
-
-Second, enable the firewall:
-
-```shell
-ishmael ~ # sysrc pf_enable="YES"
 ```

 Create the firewall config, or merge as necessary.
@@ -114,9 +110,10 @@ ext_if="vtnet0"

 set block-policy return
 scrub in on $ext_if all fragment reassemble
-
 set skip on lo
-nat on $ext_if from bastille0:network to any -> ($ext_if)
+
+table <jails> persist
+nat on $ext_if from <jails> to any -> ($ext_if)

 ## rdr example
 ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
@@ -135,7 +132,8 @@ Note: if you have an existing firewall, the key lines for in/out traffic to
 containers are:

 ```
-nat on $ext_if from bastille0:network to any -> ($ext_if)
+table <jails> persist
+nat on $ext_if from <jails> to any -> ($ext_if)

 ## rdr example
 ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
@@ -148,9 +146,10 @@ The `rdr pass ...` will redirect traffic from the host firewall on port X to
 the ip of container Y. The example shown redirects web traffic (80 & 443) to the
 container at `10.17.89.45`.

-Finally, start up the firewall:
+Finally, enable and (re)start the firewall:

 ```shell
+ishmael ~ # sysrc pf_enable="YES"
 ishmael ~ # service pf restart
 ```

--- a/docs/chapters/installation.rst
+++ b/docs/chapters/installation.rst
@@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at
 `sysutils/bastille`. Binary packages available in `quarterly` and `latest`
 repositories.

-Current version is `0.5.20191125`.
+Current version is `0.5.20191128`.

 To install from the FreeBSD package repository:

@@ -28,3 +28,17 @@ ports
 .. code-block:: shell

  make -C /usr/ports/sysutils/bastille install clean
+
+
+GIT
+---
+
+.. code-block:: shell
+
+  git clone https://github.com/BastilleBSD/bastille.git
+  cd bastille
+  make install
+
+This method will install the latest files from GitHub directly onto your
+system. It is verbose about the files it installs (for later removal), and also
+has a `make uninstall` target.
--- a/docs/chapters/networking.rst
+++ b/docs/chapters/networking.rst
@@ -81,7 +81,6 @@ First, create the loopback interface:
  ishmael ~ # sysrc cloned_interfaces+=lo1
  ishmael ~ # sysrc ifconfig_lo1_name="bastille0"
  ishmael ~ # service netif cloneup
-  ishmael ~ # ifconfig bastille0 inet 10.17.89.10

 Second, enable the firewall:

@@ -99,9 +98,10 @@ Create the firewall rules:
  
  set block-policy return
  scrub in on $ext_if all fragment reassemble
-  
  set skip on lo
-  nat on $ext_if from bastille0:network to any -> ($ext_if)
+
+  table <jails> persist
+  nat on $ext_if from <jails> to any -> ($ext_if)
  
  ## rdr example
  ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
@@ -119,7 +119,7 @@ to containers are:

 .. code-block:: shell

-  nat on $ext_if from bastille0:network to any -> ($ext_if)
+  nat on $ext_if from <jails> to any -> ($ext_if)
  
  ## rdr example
  ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -12,9 +12,9 @@ copyright = '2018-2019, Christer Edwards'
 author = 'Christer Edwards'

 # The short X.Y version
-version = '0.5.20191125'
+version = '0.5.20191128'
 # The full version, including alpha/beta/rc tags
-release = '0.5.20191125-beta'
+release = '0.5.20191128-beta'


 # -- General configuration ---------------------------------------------------
--- a/usr/local/bin/bastille
+++ b/usr/local/bin/bastille
@@ -28,6 +28,8 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+
 ## root check first.
 bastille_root_check() {
    if [ $(id -u) -ne 0 ]; then
@@ -67,7 +69,7 @@ bastille_perms_check
 . /usr/local/etc/bastille/bastille.conf

 ## version
-BASTILLE_VERSION="0.5.20191125RC"
+BASTILLE_VERSION="0.5.20191128"

 usage() {
    cat << EOF
--- a/usr/local/share/bastille/create.sh
+++ b/usr/local/share/bastille/create.sh
@@ -71,17 +71,21 @@ validate_netif() {
 }

 validate_netconf() {
+	if [ -n "${bastille_jail_loopback}" ] && [ -n "${bastille_jail_interface}" ] && [ -n "${bastille_jail_external}" ]; then
+        echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
+        exit 1
+    fi
    if [ ! -z "${bastille_jail_external}" ]; then
        break
-    elif [ ! -z ${bastille_jail_loopback} ] && [ -z ${bastille_jail_external} ]; then
+    elif [ ! -z "${bastille_jail_loopback}" ] && [ -z "${bastille_jail_external}" ]; then
        if [ -z "${bastille_jail_interface}" ]; then
            echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
            exit 1
        fi
-    elif [ -z ${bastille_jail_loopback} ] && [ ! -z ${bastille_jail_interface} ]; then
+    elif [ -z "${bastille_jail_loopback}" ] && [ ! -z "${bastille_jail_interface}" ]; then
        echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
        exit 1
-    elif [ -z ${bastille_jail_external} ]; then
+    elif [ -z "${bastille_jail_external}" ]; then
        echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
        exit 1
    fi
--- a/usr/local/share/bastille/start.sh
+++ b/usr/local/share/bastille/start.sh
@@ -51,10 +51,10 @@ TARGET="${1}"
 shift

 if [ "${TARGET}" = 'ALL' ]; then
-    JAILS=$(/usr/local/bin/bastille list jails)
+    JAILS=$(bastille list jails)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(/usr/local/bin/bastille list jails | grep -w "${TARGET}")
+    JAILS=$(bastille list jails | grep -w "${TARGET}")
 fi

 for _jail in ${JAILS}; do
@@ -67,9 +67,9 @@ for _jail in ${JAILS}; do
        echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
        jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail}

-        ## update ${bastille_jail_loopback}:network with added/removed addresses
+        ## add ip4.addr to firewall table:jails
        if [ ! -z ${bastille_jail_loopback} ]; then
-            pfctl -f /etc/pf.conf
+            pfctl -q -t jails -T add $(jls -j ${_jail} ip4.addr)
        fi
    fi
    echo
--- a/usr/local/share/bastille/stop.sh
+++ b/usr/local/share/bastille/stop.sh
@@ -64,13 +64,14 @@ for _jail in ${JAILS}; do

    ## test if running
    elif [ $(jls name | grep -w "${_jail}") ]; then
+        ## remove ip4.addr from firewall table:jails
+        if [ ! -z ${bastille_jail_loopback} ]; then
+            pfctl -q -t jails -T delete $(jls -j ${_jail} ip4.addr)
+        fi
+
+        ## stop container
        echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
        jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
-
-        ## update ${bastille_jail_loopback}:network with added/removed addresses
-        if [ ! -z ${bastille_jail_loopback} ]; then
-            pfctl -f /etc/pf.conf
-        fi
    fi
    echo
 done
Author	SHA1	Message	Date
Christer Edwards	29565b22c8	Merge pull request #75 from cedwards/firewall 0.5.20191128 release	2019-11-28 09:23:13 -07:00
Christer Edwards	8414865355	0.5.20191128 release	2019-11-28 09:21:13 -07:00
Christer Edwards	90c0c1d4c0	Merge pull request #74 from cedwards/improvements updating version string	2019-11-25 21:44:55 -07:00
Christer Edwards	80412679a7	updating version string	2019-11-25 21:44:23 -07:00
Christer Edwards	61eb7f5625	Merge pull request #73 from cedwards/improvements quieting pfctl output in start/stop	2019-11-25 17:46:00 -07:00
Christer Edwards	fbb99470ec	quieting pfctl output in start/stop	2019-11-25 17:45:17 -07:00
Christer Edwards	f2a968a065	Merge pull request #71 from cedwards/improvements Improvements to firewalling for loopback containers	2019-11-25 17:13:32 -07:00
Christer Edwards	0a708c3dc7	clarification to README on firewall settings	2019-11-25 17:12:27 -07:00
Christer Edwards	f6653a6a48	Merge pull request #72 from JRGTH/master Additional network config checks	2019-11-25 17:07:46 -07:00
Jose	03597e1489	Additional network config checks	2019-11-25 20:02:56 -04:00
Christer Edwards	f36744f2a0	accidentally a word	2019-11-25 15:41:11 -07:00
Christer Edwards	43da7b25a1	standardizing comments	2019-11-25 15:40:10 -07:00
Christer Edwards	b5c8330502	add PATH; improve firewall	2019-11-25 15:38:40 -07:00