Mirrors/hackacad
2
0
Fork 0
mirror of https://github.com/hackacad/bastille.git synced 2025-12-19 00:30:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

network cleanup; default route addition for vnet

Browse Source
This commit is contained in:
Christer Edwards
2020-04-12 17:04:37 -06:00
parent 84b091474d
commit 106c566c88
6 changed files with 19 additions and 125 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
usr/local/etc/bastille/bastille.conf.sample
View File

@@ -38,8 +38,6 @@ bastille_compress_xz_options="-0 -v" ## default
bastille_decompress_xz_options="-c -d -v" ## default "-c -d -v"
## Networking
bastille_jail_loopback="lo1" ## default: "lo1"
bastille_jail_interface="bastille0" ## default: "bastille0"
bastille_jail_external="" ## default: ""
bastille_jail_addr="10.17.89.10" ## default: "10.17.89.10"
bastille_jail_gateway="" ## default: ""
bastille_network_loopback="bastille0" ## default: "bastille0"
bastille_network_shared="" ## default: ""
bastille_network_gateway="" ## default: ""

95
usr/local/share/bastille/bootstrap.sh
View File

@@ -82,98 +82,6 @@ validate_release_url() {
fi
}
bootstrap_network_interfaces() {
## test for both options empty
if [ -z "${bastille_jail_loopback}" ] && [ -z "${bastille_jail_external}" ]; then
echo -e "${COLOR_RED}Please set preferred loopback or external interface.${COLOR_RESET}"
echo -e "${COLOR_RED}See bastille.conf.${COLOR_RESET}"
exit 1
fi
## test for required variables -- external
if [ -z "${bastille_jail_loopback}" ] && [ -n "${bastille_jail_external}" ]; then
## test for existing interface
ifconfig "${bastille_jail_external}" >/dev/null 2>&1
if [ "$?" = 0 ]; then
## create ifconfig alias
ifconfig "${bastille_jail_external}" inet "${bastille_jail_addr}" alias && \
echo -e "${COLOR_GREEN}IP alias added to ${bastille_jail_external} successfully.${COLOR_RESET}"
echo
## attempt to ping gateway
echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}"
ping -c3 -t3 -S "${bastille_jail_addr}" "${bastille_jail_gateway}"
if [ "$?" = 0 ]; then
echo
echo -e "${COLOR_GREEN}External networking appears functional.${COLOR_RESET}"
echo
else
echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}"
fi
fi
fi
## test for required variables -- loopback
if [ -z "${bastille_jail_external}" ] && [ -n "${bastille_jail_loopback}" ] && \
[ -n "${bastille_jail_addr}" ]; then
echo -e "${COLOR_GREEN}Detecting...${COLOR_RESET}"
## test for existing interface
ifconfig "${bastille_jail_interface}" >&2 >/dev/null
## if above return code is 1; create interface
if [ "$?" = 1 ]; then
sysrc ifconfig_"${bastille_jail_loopback}"_name | grep "${bastille_jail_interface}" >&2 >/dev/null
if [ "$?" = 1 ]; then
echo
echo -e "${COLOR_GREEN}Defining secure loopback interface.${COLOR_RESET}"
sysrc cloned_interfaces+="${bastille_jail_loopback}" &&
sysrc ifconfig_"${bastille_jail_loopback}"_name="${bastille_jail_interface}"
sysrc ifconfig_"${bastille_jail_interface}"_aliases+="inet ${bastille_jail_addr}/32"
## create and name interface; assign address
echo
echo -e "${COLOR_GREEN}Creating secure loopback interface.${COLOR_RESET}"
ifconfig "${bastille_jail_loopback}" create name "${bastille_jail_interface}"
ifconfig "${bastille_jail_interface}" up
ifconfig "${bastille_jail_interface}" inet "${bastille_jail_addr}/32"
## reload firewall
pfctl -f /etc/pf.conf
## look for nat rule for bastille_jail_addr
echo -e "${COLOR_GREEN}Detecting NAT from bastille0 interface...${COLOR_RESET}"
pfctl -s nat | grep nat | grep "${bastille_jail_addr}"
if [ "$?" = 0 ]; then
## test connectivity; ping from bastille_jail_addr
echo
echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}"
ping -c3 -t3 -S "${bastille_jail_addr}" "${bastille_jail_gateway}"
if [ "$?" = 0 ]; then
echo
echo -e "${COLOR_GREEN}Private networking appears functional.${COLOR_RESET}"
echo
else
echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}"
echo -e
fi
else
echo -e "${COLOR_RED}Unable to detect firewall 'nat' rule.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}"
fi
else
echo -e "${COLOR_RED}Interface ${bastille_jail_loopback} already configured; bailing out.${COLOR_RESET}"
fi
else
echo -e "${COLOR_RED}Interface ${bastille_jail_interface} already active; bailing out.${COLOR_RESET}"
fi
fi
}
bootstrap_directories() {
## ensure required directories are in place
@@ -488,9 +396,6 @@ http?://github.com/*/*|http?://gitlab.com/*/*)
BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
bootstrap_template
;;
network)
bootstrap_network_interfaces
;;
*)
usage
;;

29
usr/local/share/bastille/create.sh
View File

@@ -89,21 +89,7 @@ validate_netif() {
}
validate_netconf() {
if [ -n "${bastille_jail_loopback}" ] && [ -n "${bastille_jail_interface}" ] && [ -n "${bastille_jail_external}" ]; then
echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
exit 1
fi
if [ -n "${bastille_jail_external}" ]; then
return 0
elif [ ! -z "${bastille_jail_loopback}" ] && [ -z "${bastille_jail_external}" ]; then
if [ -z "${bastille_jail_interface}" ]; then
echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
exit 1
fi
elif [ -z "${bastille_jail_loopback}" ] && [ ! -z "${bastille_jail_interface}" ]; then
echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
exit 1
elif [ -z "${bastille_jail_external}" ]; then
if [ -n "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
exit 1
fi
@@ -230,11 +216,11 @@ create_jail() {
fi
if [ ! -f "${bastille_jail_conf}" ]; then
if [ -z "${bastille_jail_loopback}" ] && [ -n "${bastille_jail_external}" ]; then
local bastille_jail_conf_interface=${bastille_jail_external}
if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
local bastille_jail_conf_interface=${bastille_network_shared}
fi
if [ -n "${bastille_jail_loopback}" ] && [ -z "${bastille_jail_external}" ]; then
local bastille_jail_conf_interface=${bastille_jail_interface}
if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then
local bastille_jail_conf_interface=${bastille_network_loopback}
fi
if [ -n "${INTERFACE}" ]; then
local bastille_jail_conf_interface=${INTERFACE}
@@ -348,6 +334,11 @@ create_jail() {
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="DHCP"
else
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}"
if [ -n "${bastille_network_gateway}" ]; then
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="${bastille_network_gateway}"
else
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="$(route show default | awk '/gateway/ {print $2}')"
fi
fi
## VNET requires jib script

8
usr/local/share/bastille/import.sh
View File

@@ -274,10 +274,10 @@ workout_components() {
config_netif() {
# Get interface from bastille configuration
if [ -n "${bastille_jail_interface}" ]; then
NETIF_CONFIG="${bastille_jail_interface}"
elif [ -n "${bastille_jail_external}" ]; then
NETIF_CONFIG="${bastille_jail_external}"
if [ -n "${bastille_network_loopback}" ]; then
NETIF_CONFIG="${bastille_network_loopback}"
elif [ -n "${bastille_network_shared}" ]; then
NETIF_CONFIG="${bastille_network_shared}"
else
NETIF_CONFIG=
fi

2
usr/local/share/bastille/start.sh
View File

@@ -89,7 +89,7 @@ for _jail in ${JAILS}; do
fi
## add ip4.addr to firewall table:jails
if [ ! -z "${bastille_jail_loopback}" ]; then
if [ ! -z "${bastille_network_loopback}" ]; then
pfctl -q -t jails -T add "$(jls -j "${_jail}" ip4.addr)"
fi
fi

2
usr/local/share/bastille/stop.sh
View File

@@ -67,7 +67,7 @@ for _jail in ${JAILS}; do
## test if running
if [ "$(jls name | awk "/^${_jail}$/")" ]; then
## remove ip4.addr from firewall table:jails
if [ -n "${bastille_jail_loopback}" ]; then
if [ -n "${bastille_network_loopback}" ]; then
pfctl -q -t jails -T delete "$(jls -j "${_jail}" ip4.addr)"
fi