From 0a708c3dc7a6d5e66067d7859ee366f8e7c41db5 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Mon, 25 Nov 2019 17:12:27 -0700 Subject: [PATCH] clarification to README on firewall settings --- README.md | 12 ++++-------- usr/local/share/bastille/start.sh | 4 ++-- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index c44ec591..110b8c55 100644 --- a/README.md +++ b/README.md @@ -97,12 +97,6 @@ ishmael ~ # sysrc ifconfig_lo1_name="bastille0" ishmael ~ # service netif cloneup ``` -Second, enable the firewall: - -```shell -ishmael ~ # sysrc pf_enable="YES" -``` - Create the firewall config, or merge as necessary. /etc/pf.conf @@ -134,7 +128,8 @@ Note: if you have an existing firewall, the key lines for in/out traffic to containers are: ``` -nat on $ext_if from bastille0:network to any -> ($ext_if) +table persist +nat on $ext_if from to any -> ($ext_if) ## rdr example ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45 @@ -147,9 +142,10 @@ The `rdr pass ...` will redirect traffic from the host firewall on port X to the ip of container Y. The example shown redirects web traffic (80 & 443) to the container at `10.17.89.45`. -Finally, start up the firewall: +Finally, enable and (re)start the firewall: ```shell +ishmael ~ # sysrc pf_enable="YES" ishmael ~ # service pf restart ``` diff --git a/usr/local/share/bastille/start.sh b/usr/local/share/bastille/start.sh index d8df2eb5..93a875e7 100644 --- a/usr/local/share/bastille/start.sh +++ b/usr/local/share/bastille/start.sh @@ -51,10 +51,10 @@ TARGET="${1}" shift if [ "${TARGET}" = 'ALL' ]; then - JAILS=$(/usr/local/bin/bastille list jails) + JAILS=$(bastille list jails) fi if [ "${TARGET}" != 'ALL' ]; then - JAILS=$(/usr/local/bin/bastille list jails | grep -w "${TARGET}") + JAILS=$(bastille list jails | grep -w "${TARGET}") fi for _jail in ${JAILS}; do