Administrera jails via bastille i FreeBSD: Difference between revisions

From Peters wiki
Jump to navigation Jump to search
← Older editNewer edit →
Tag: Manual revert
mNo edit summary
Line 28: Line 28:
{{RootCmd|<nowiki>sysrc cloned_interfaces+=lo1</nowiki>|<nowiki>sysrc ifconfig_lo1_name="bastille0"</nowiki>|service netif cloneup}}
{{RootCmd|<nowiki>sysrc cloned_interfaces+=lo1</nowiki>|<nowiki>sysrc ifconfig_lo1_name="bastille0"</nowiki>|service netif cloneup}}


Editera filen /etc/pf.conf:
{{bc=1
ext_if="igb0"
set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo
table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"
block in all
pass out quick keep state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state
}}
Start pf genom att köra:
{{RootCmd|sysrc pf_enable=YES
service pf start
}}
[[Category:Guide]]
[[Category:Guide]]

Revision as of 14:24, 12 August 2023


Denna guide visar hur man kan köra nginx i ett jail via bastille i FreeBSD 13.2.

Installation

Installera bastille genom kommandot:

root # pkg install bastille


Konfiguration

Vi kommer köra bastille på en ZFS pool som heter trunk och vår router har IP adress 192.168.0.1. Editera filen /usr/local/etc/bastille/bastille.conf och se till att följande är konfigurerat: 

bastille_tzdata="Europe/Stockholm"
bastille_zfs_enable="YES"
bastille_zfs_zpool="trunk"
bastille_network_gateway="192.168.0.1"

Nätverk

Vi kommer köra jails i privata nätverk och öppna upp access till nginx genom att göra port-forwarding av port 8080 på host:en till nginx. Kör följande kommandon:

root # sysrc cloned_interfaces+=lo1
root # sysrc ifconfig_lo1_name="bastille0"
root # service netif cloneup

Editera filen /etc/pf.conf:

{{bc=1 ext_if="igb0"

set block-policy return scrub in on $ext_if all fragment reassemble set skip on lo

table <jails> persist nat on $ext_if from <jails> to any -> ($ext_if:0) rdr-anchor "rdr/*"

block in all pass out quick keep state antispoof for $ext_if inet pass in inet proto tcp from any to any port ssh flags S/SA keep state }}

Start pf genom att köra:

Template:Error

Retrieved from "http://www.kerwien.se/index.php?title=Administrera_jails_via_bastille_i_FreeBSD&oldid=3377"