Solved I messed up sshd service when I'm following Bastille tutorial about network configuration inside a jail

xedos832

xedos832

I messed up sshd service when I'm following Bastille tutorial about network configuration inside a jail.

First, create the loopback interface:
Code: 
ishmael ~ # sysrc cloned_interfaces+=lo1
ishmael ~ # sysrc ifconfig_lo1_name="bastille0"
ishmael ~ # service netif cloneup
Second, enable the firewall:
Code: 
ishmael ~ # sysrc pf_enable="YES"
Create the firewall rules:
/etc/pf.conf
Code: 
ext_if="vtnet0"

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"

block in all
pass out quick keep state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA modulate state
  • Make sure to change the ext_if variable to match your host system interface.
  • Make sure to include the last line (port ssh) or you’ll end up locked out.
Note: if you have an existing firewall, the key lines for in/out traffic to containers are:
Code: 
nat on $ext_if from <jails> to any -> ($ext_if)
The nat routes traffic from the loopback interface to the external interface for outbound access.
Code: 
rdr-anchor "rdr/*"
The rdr-anchor “rdr/*” enables dynamic rdr rules to be setup using the bastille rdr command at runtime - eg.
Code: 
bastille rdr <jail> tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail
bastille rdr <jail> udp 2053 53 # Same for udp
bastille rdr <jail> list # List dynamic rdr rules
bastille rdr <jail> clear # Clear dynamic rdr rules
Note that if you are redirecting ports where the host is also listening (eg. ssh) you should make sure that the host service is not listening on the cloned interface - eg. for ssh set sshd_flags in rc.conf
Code: 
sshd_flags=”-o ListenAddress=<hostname>”
Finally, start up the firewall:
Code: 
ishmael ~ # service pf restart
At this point you’ll likely be disconnected from the host. Reconnect the ssh session and continue.
This step only needs to be done once in order to prepare the host.

Look I'm not able to connect anymore:-/
 
Log in on the console and disable the firewall. You probably made a mistake there.
 
I'm testing all this stuff inside FreeBSD-12.4-beta1 :Bhyve, jails, and look gorgeus, look very nice work until now, thank SirDice for your suggestion
 
FYI when doing firewall stuff, it's helpful to use at(1) to automatically revert changes after some period of time, in case you get locked out. So you'd do something like:

Code: 
cp /etc/pf.conf /etc/pf.conf.bak

# ... change pf.conf ...

echo "pfctl -f /etc/pf.conf.bak" | at + 5 minutes # or `pfctl -d` to disable it entirely

If your changes work, you can at -r <job> to stop the revert from happening.
 
Or something like pfctl -f /etc/pf.conf.new && sleep 60 && pfctl -f /etc/pf.conf

That will test a pf.conf.new ruleset, if you screw up wait 60 seconds and the original ruleset gets loaded.
 
You must log in or register to reply here.
Back
Top