TLDR; Quick start guide

Sven R edited this page 2020-02-19 08:45:11 +01:00

Install Bastille via pkg pkg

pkg install bastille

enable at boot

sysrc bastille_enable=YES

create the loopback interface

ishmael ~ # sysrc cloned_interfaces+=lo1
ishmael ~ # sysrc ifconfig_lo1_name="bastille0"
ishmael ~ # service netif cloneup

configure pf.conf

ext_if="vtnet0" #edit it according to you primary network interface

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if)

## static rdr example
# rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45

## Enable dynamic rdr (see below)
rdr-anchor "rdr/*"

block in all
pass out quick modulate state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state

## for rdr use following lines
# pass in inet proto tcp from any to any port <rdr-start>:<rdr-end> flags S/SA keep state
# pass in inet proto udp from any to any port <rdr-start>:<rdr-end> flags S/SA keep state

enable and start pf

sysrc pf_enable="YES"
service pf restart

enable ZFS (edit zroot according to you zpool (zpool list)

sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_enable=YES
sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_zpool=zroot

create your first jail

bastille create myjail1 12.1-RELEASE 10.10.10.1

#alternative for IPv6

bastille create myjail1 12.1-RELEASE fc00::1

start your jail

bastille start myjail1

You can user bastille start ALL to start all jails

Start bastille shell

bastille console myjail1

TLDR; Quick start guide Modules: Modules: Basic usage (start/stop/create/update...) Modules: Bootstrap Modules: Cmd Modules: Console Modules: Convert Modules: Import/Export Modules: Monitoring (top, verify, zfs) Modules: Limits Modules: Networking (IPv6, rdr Modules: Pkg Modules: Templating