forked from BastilleBSD/bastille
-
Notifications
You must be signed in to change notification settings - Fork 0
TLDR; Quick start guide
Sven R edited this page Feb 19, 2020
·
1 revision
Install Bastille via pkg pkg
pkg install bastilleenable at boot
sysrc bastille_enable=YEScreate the loopback interface
ishmael ~ # sysrc cloned_interfaces+=lo1
ishmael ~ # sysrc ifconfig_lo1_name="bastille0"
ishmael ~ # service netif cloneupconfigure pf.conf
ext_if="vtnet0" #edit it according to you primary network interface
set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo
table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if)
## static rdr example
# rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
## Enable dynamic rdr (see below)
rdr-anchor "rdr/*"
block in all
pass out quick modulate state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state
## for rdr use following lines
# pass in inet proto tcp from any to any port <rdr-start>:<rdr-end> flags S/SA keep state
# pass in inet proto udp from any to any port <rdr-start>:<rdr-end> flags S/SA keep state
enable and start pf
sysrc pf_enable="YES"
service pf restart
enable ZFS (edit zroot according to you zpool (zpool list)
sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_enable=YES
sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_zpool=zroot
create your first jail
bastille create myjail1 12.1-RELEASE 10.10.10.1
#alternative for IPv6
bastille create myjail1 12.1-RELEASE fc00::1
start your jail
bastille start myjail1
You can user bastille start ALL to start all jails
Start bastille shell
bastille console myjail1
TLDR; Quick start guide Modules: Modules: Basic usage (start/stop/create/update...) Modules: Bootstrap Modules: Cmd Modules: Console Modules: Convert Modules: Import/Export Modules: Monitoring (top, verify, zfs) Modules: Limits Modules: Networking (IPv6, rdr Modules: Pkg Modules: Templating