start: Do not add IP to firewall table if it is in the same subnet

2025-12-21 17:52:01 +01:00 · 2025-02-20 09:47:36 -07:00
parent a1e58f4131
commit 1245b0e30e
1 changed files with 8 additions and 2 deletions
--- a/usr/local/share/bastille/start.sh
+++ b/usr/local/share/bastille/start.sh
@@ -108,7 +108,10 @@ for _jail in ${JAILS}; do
                    if ifconfig | grep -qwF "${_ip}"; then
                        warn "Warning: IP address (${_ip}) already in use, continuing..."
                    fi
-                    pfctl -q -t "${bastille_network_pf_table}" -T add "${_ip}"
+                    ## add ip to firewall table if it is not reachable through local interface (assumes NAT/rdr is needed)
+                    if route -n get ${_ip} | grep "gateway" >/dev/null; then
+                        pfctl -q -t "${bastille_network_pf_table}" -T add "${_ip}"
+                    fi
                else
                    error_continue "Error: ${_if} interface does not exist."
                fi
@@ -128,7 +131,10 @@ for _jail in ${JAILS}; do
                    if ifconfig | grep -qwF "${_ip}"; then
                        warn "Warning: IP address (${_ip}) already in use, continuing..."
                    fi
-                    pfctl -q -t "${bastille_network_pf_table}" -T add "${_ip}"
+                    ## add ip to firewall table if it is not reachable through local interface (assumes NAT/rdr is needed)
+                    if route -n get ${_ip} | grep "gateway" >/dev/null; then
+                        pfctl -q -t "${bastille_network_pf_table}" -T add "${_ip}"
+                    fi
                else
                    error_continue "Error: ${_if} interface does not exist."
                fi