From 1245b0e30e33a872e2cadf5c1ed714bf40f1a1e3 Mon Sep 17 00:00:00 2001
From: tschettervictor <85497460+tschettervictor@users.noreply.github.com>
Date: Thu, 20 Feb 2025 09:47:36 -0700
Subject: [PATCH] start: Do not add IP to firewall table if it is in the same
 subnet

---
 usr/local/share/bastille/start.sh | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/usr/local/share/bastille/start.sh b/usr/local/share/bastille/start.sh
index 715e8307..8a0960d1 100644
--- a/usr/local/share/bastille/start.sh
+++ b/usr/local/share/bastille/start.sh
@@ -108,7 +108,10 @@ for _jail in ${JAILS}; do
                     if ifconfig | grep -qwF "${_ip}"; then
                         warn "Warning: IP address (${_ip}) already in use, continuing..."
                     fi
-                    pfctl -q -t "${bastille_network_pf_table}" -T add "${_ip}"
+                    ## add ip to firewall table if it is not reachable through local interface (assumes NAT/rdr is needed)
+                    if route -n get ${_ip} | grep "gateway" >/dev/null; then
+                        pfctl -q -t "${bastille_network_pf_table}" -T add "${_ip}"
+                    fi
                 else
                     error_continue "Error: ${_if} interface does not exist."
                 fi
@@ -128,7 +131,10 @@ for _jail in ${JAILS}; do
                     if ifconfig | grep -qwF "${_ip}"; then
                         warn "Warning: IP address (${_ip}) already in use, continuing..."
                     fi
-                    pfctl -q -t "${bastille_network_pf_table}" -T add "${_ip}"
+                    ## add ip to firewall table if it is not reachable through local interface (assumes NAT/rdr is needed)
+                    if route -n get ${_ip} | grep "gateway" >/dev/null; then
+                        pfctl -q -t "${bastille_network_pf_table}" -T add "${_ip}"
+                    fi
                 else
                     error_continue "Error: ${_if} interface does not exist."
                 fi