[ENHANCEMENT] Make automatic rdr rules work on servers with multiple IPv4 addresses

[sveeke]

Is your feature request related to a problem? Please describe.
My servers/jail hosts have multiple public IPv4 addresses and I can't seem to figure out how this can work properly with Bastille. If there is a better way than my hack, then please let me know 😄.

When Bastille creates the automatic rdr rules for ports that must be forwarded to a jail, the rule applies to all IP addresses, effectively killing all other services that run on the same port number on other IP addresses.

So after doing this:

# bastille rdr jail_name tcp 80 80
# bastille rdr jail_name tcp 443 443
# bastille rdr jail_name list
rdr pass on ix0 inet proto tcp from any to any port = 80 -> 10.111.2.1 port 80
rdr pass on ix0 inet proto tcp from any to any port = 443 -> 10.111.2.1 port 443

The created rules will also kill any other service running on ports 80 and 443 on any other IP address on the server.

Describe the solution you'd like
To make it possible to bind Bastille jails to a single outgoing address (or two in the case of using both IPv4 and IPv6) so that Bastille's automatic rdr rules won't apply to all IP addresses on the server.

I hacked this myself by changing line 119 in rdr.sh from:

printf '%s\nrdr pass on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP" "$3" )

To:

printf '%s\nrdr pass on $%s inet proto %s from any to the.correct.ip.address port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP" "$3" )

So it should be possible to make this configurable.

Describe alternatives you've considered

• Make the more specific rdr rules myself (ignoring Bastille's feature to automatically create them), but I'm not 100% sure how this would work (I can't seem to make it work at least).

Additional context
Some relevant parts of my config.

# cat /usr/local/etc/bastille/bastille.conf
## Networking
bastille_network_loopback="bastille0"                                 ## default: "bastille0"
bastille_network_pf_ext_if="ext_if"                                   ## default: "ext_if"
bastille_network_pf_table="jails"                                     ## default: "jails"
bastille_network_shared=""                                            ## default: ""
bastille_network_gateway="the.correct.ip.address"                                           ## default: ""
bastille_network_gateway6=""                                          ## default: ""

# cat /etc/rc.conf
cloned_interfaces="lo1"
ifconfig_lo1_name="bastille0"

# cat /etc/pf.conf
ext_if="ix0"
table <jails> persist                   # bastille jail table
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"

[tschettervictor]

#765

[tschettervictor]

@sveeke can you test the above PR.

[sveeke]

@sveeke can you test the above PR.

I'll try in January after my vacation!

[sveeke]

@sveeke can you test the above PR.

I get the following error when I try to add a rdr rule with bastille rdr -t ipv4 -d one.of.the.ipaddresses jail-name tcp 80 80:

/usr/local/share/bastille/rdr.sh: set_target_single: not found
stdin:2: syntax error
pfctl: Syntax error in config file: pf rules not loaded

I swapped /usr/local/share/bastille/rdr.sh and /usr/local/share/bastille/list.sh on my server with your versions in tschettervictor:rdr-multiple-interfaces. Do I need to change more in order to make it work?

[tschettervictor]

The -r is incorrect. It should be -d for "type"

And yes, I missed that one function. Let me add it quick.

[sveeke]

The -r is incorrect. It should be -d for "type"

And yes, I missed that one function. Let me add it quick.

Sorry that was a typo from me to GitHub, I used -d in that command. I think otherwise it would have given a error like Unknown option.

[tschettervictor]

And you need the common.sh file from the current GitHub HEAD. That has the "set_target_single" function.

[sveeke]

Yeah with common.sh from current repo that error is gone indeed. But I still get:

 # bastille rdr -t ipv4 -d 1.2.3.4 1-proxy tcp 443 443
stdin:2: syntax error
pfctl: Syntax error in config file: pf rules not loaded
Failed to create IPv4 rdr rule "ix0 any 1.2.3.4 tcp 443 443"

The command fills /usr/local/bastille/jails/1-proxy/rdr.conf just fine:

ipv4 ix0 any 1.2.3.4 tcp 443 443

But effectuating seems to not work. I tried with set -x as well:

+ validate_rdr_rule ix0 any 1.2.3.4 tcp 443 443
+ local 'if=ix0'
+ local 'src=any'
+ local 'dst=1.2.3.4'
+ local 'proto=tcp'
+ local 'host_port=443'
+ local 'jail_port=443'
+ grep -qs 'ix0 any 1.2.3.4 tcp 443 443' /usr/local/bastille/jails/1-proxy/rdr.conf
+ persist_rdr_rule ipv4 ix0 any 1.2.3.4 tcp 443 443
+ local 'inet=ipv4'
+ local 'if=ix0'
+ local 'src=any'
+ local 'dst=1,2,3,4'
+ local 'proto=tcp'
+ local 'host_port=443'
+ local 'jail_port=443'
+ grep -qs 'ipv4 ix0 any 1.2.3.4 tcp 443 443' /usr/local/bastille/jails/1-proxy/rdr.conf
+ echo 'ipv4 ix0 any 1.2.3.4 tcp 443 443'
+ load_rdr_rule ipv4 ix0 any 1.2.3.4 tcp 443 443
+ local 'inet=ipv4'
+ local 'if_name=ix0'
+ local 'if=ext_if="ix0"'
+ local 'src=any'
+ local 'dst=1.2.3.4'
+ local 'proto=tcp'
+ local 'host_port=443'
+ local 'jail_port=443'
+ [ ipv4 '=' ipv4 ]
+ pfctl -a rdr/1-proxy -Psn
+ pfctl -a rdr/1-proxy -f-
+ printf '%s\nrdr pass on $%s inet proto %s from %s to %s port %s -> %s port %s\n' 'ext_if="ix0"' ext_if tcp any 1.2.3.4 443 '' 443
stdin:2: syntax error
pfctl: Syntax error in config file: pf rules not loaded
+ error_exit 'Failed to create IPv4 rdr rule "ix0 any 1.2.3.4 tcp 443 443"'
+ error_notify 'Failed to create IPv4 rdr rule "ix0 any 1.2.3.4 tcp 443 443"'
+ echo -e '\033[0;31mFailed to create IPv4 rdr rule "ix0 any 1.2.3.4 tcp 443 443"\033[0;0m'
Failed to create IPv4 rdr rule "ix0 any 1.2.3.4 tcp 443 443"
+ exit 1

Any idea what could be the cause?

[tschettervictor]

Did you set up your pf rules using 'bastille setup pf'?

[tschettervictor]

Oops. Looks like your JAIL_IP var is not filling. Let me see...

Can you post the full "set -x" output?

[sveeke]

Sure! I changed the IP address and jail name to 1.2.3.4 and 1-proxy.

root@s1:~ # bastille rdr -t ipv4 -d 1.2.3.4 1-proxy tcp 443 443
+ . /usr/local/etc/bastille/bastille.conf
+ bastille_prefix=/usr/local/bastille
+ bastille_backupsdir=/usr/local/bastille/backups
+ bastille_cachedir=/usr/local/bastille/cache
+ bastille_jailsdir=/usr/local/bastille/jails
+ bastille_releasesdir=/usr/local/bastille/releases
+ bastille_templatesdir=/usr/local/bastille/templates
+ bastille_logsdir=/var/log/bastille
+ bastille_pf_conf=/etc/pf.conf
+ bastille_sharedir=/usr/local/share/bastille
+ bastille_bootstrap_archives=base
+ bastille_tzdata=''
+ bastille_resolv_conf=/etc/resolv.conf
+ bastille_url_freebsd=http://ftp.freebsd.org/pub/FreeBSD/releases/
+ bastille_url_hardenedbsd=https://installers.hardenedbsd.org/pub/
+ bastille_url_midnightbsd=https://www.midnightbsd.org/ftp/MidnightBSD/releases/
+ bastille_zfs_enable=YES
+ bastille_zfs_zpool=zroot
+ bastille_zfs_prefix=bastille
+ bastille_zfs_options='-o compress=lz4 -o atime=off'
+ bastille_compress_xz_options='-0 -v'
+ bastille_decompress_xz_options='-c -d -v'
+ bastille_compress_gz_options='-1 -v'
+ bastille_decompress_gz_options='-k -d -c -v'
+ bastille_export_options=''
+ bastille_network_loopback=bastille0
+ bastille_network_pf_ext_if=ext_if
+ bastille_network_pf_table=jails
+ bastille_network_shared=''
+ bastille_network_gateway=1.2.3.4
+ bastille_network_gateway6=''
+ bastille_template_base=default/base
+ bastille_template_empty=''
+ bastille_template_thick=default/thick
+ bastille_template_clone=default/clone
+ bastille_template_thin=default/thin
+ bastille_template_vnet=default/vnet
+ COLOR_RED=''
+ COLOR_GREEN=''
+ COLOR_YELLOW=''
+ COLOR_RESET=''
+ [ -z '' ]
+ [ -t 1 ]
+ enable_color
+ . /usr/local/share/bastille/colors.pre.sh
+ COLOR_RESET='\033[0;0m'
+ COLOR_BOLD='\033[1m'
+ COLOR_UNDER='\033[4m'
+ COLOR_BLINK='\033[5m'
+ COLOR_INVERSE='\033[7m'
+ COLOR_BLACK='\033[0;30m'
+ COLOR_RED='\033[0;31m'
+ COLOR_GREEN='\033[0;32m'
+ COLOR_BROWN='\033[0;33m'
+ COLOR_BLUE='\033[0;34m'
+ COLOR_MAGENTA='\033[0;35m'
+ COLOR_CYAN='\033[0;36m'
+ COLOR_LIGHT_GRAY='\033[0;37m'
+ COLOR_DARK_GRAY='\033[1;30m'
+ COLOR_LIGHT_RED='\033[1;31m'
+ COLOR_LIGHT_GREEN='\033[1;32m'
+ COLOR_YELLOW='\033[1;33m'
+ COLOR_LIGHT_BLUE='\033[1;34m'
+ COLOR_LIGHT_MAGENTA='\033[1;35m'
+ COLOR_LIGHT_CYAN='\033[1;36m'
+ COLOR_WHITE='\033[1;37m'
+ COLOR_BG_BLACK='\033[40m'
+ COLOR_BG_RED='\033[41m'
+ COLOR_BG_GREEN='\033[42m'
+ COLOR_BG_BROWN='\033[43m'
+ COLOR_BG_BLUE='\033[44m'
+ COLOR_BG_MAGENTA='\033[45m'
+ COLOR_BG_CYAN='\033[46m'
+ COLOR_BG_LIGHT_GRAY='\033[47m'
+ bastille_conf_check
+ [ ! -r /usr/local/etc/bastille/bastille.conf ]
+ . /usr/local/etc/bastille/bastille.conf
+ bastille_prefix=/usr/local/bastille
+ bastille_backupsdir=/usr/local/bastille/backups
+ bastille_cachedir=/usr/local/bastille/cache
+ bastille_jailsdir=/usr/local/bastille/jails
+ bastille_releasesdir=/usr/local/bastille/releases
+ bastille_templatesdir=/usr/local/bastille/templates
+ bastille_logsdir=/var/log/bastille
+ bastille_pf_conf=/etc/pf.conf
+ bastille_sharedir=/usr/local/share/bastille
+ bastille_bootstrap_archives=base
+ bastille_tzdata=''
+ bastille_resolv_conf=/etc/resolv.conf
+ bastille_url_freebsd=http://ftp.freebsd.org/pub/FreeBSD/releases/
+ bastille_url_hardenedbsd=https://installers.hardenedbsd.org/pub/
+ bastille_url_midnightbsd=https://www.midnightbsd.org/ftp/MidnightBSD/releases/
+ bastille_zfs_enable=YES
+ bastille_zfs_zpool=zroot
+ bastille_zfs_prefix=bastille
+ bastille_zfs_options='-o compress=lz4 -o atime=off'
+ bastille_compress_xz_options='-0 -v'
+ bastille_decompress_xz_options='-c -d -v'
+ bastille_compress_gz_options='-1 -v'
+ bastille_decompress_gz_options='-k -d -c -v'
+ bastille_export_options=''
+ bastille_network_loopback=bastille0
+ bastille_network_pf_ext_if=ext_if
+ bastille_network_pf_table=jails
+ bastille_network_shared=''
+ bastille_network_gateway=1.2.3.4
+ bastille_network_gateway6=''
+ bastille_template_base=default/base
+ bastille_template_empty=''
+ bastille_template_thick=default/thick
+ bastille_template_clone=default/clone
+ bastille_template_thin=default/thin
+ bastille_template_vnet=default/vnet
+ : ext_if
+ : jails
+ bastille_perms_check
+ [ -d /usr/local/bastille ]
+ stat -f %Op /usr/local/bastille
+ BASTILLE_PREFIX_PERMS=40750
+ [ 40750 '!=' 40750 ]
+ BASTILLE_VERSION=0.12.20241124
+ [ 9 -lt 1 ]
+ CMD=rdr
+ shift
+ SCRIPTPATH=/usr/local/share/bastille/rdr.sh
+ [ -f /usr/local/share/bastille/rdr.sh ]
+ : 022
+ umask 022
+ : sh
+ [ -n '' ]
+ exec sh /usr/local/share/bastille/rdr.sh -t ipv4 -d 1.2.3.4 1-proxy tcp 443 443
+ . /usr/local/etc/bastille/bastille.conf
+ bastille_prefix=/usr/local/bastille
+ bastille_backupsdir=/usr/local/bastille/backups
+ bastille_cachedir=/usr/local/bastille/cache
+ bastille_jailsdir=/usr/local/bastille/jails
+ bastille_releasesdir=/usr/local/bastille/releases
+ bastille_templatesdir=/usr/local/bastille/templates
+ bastille_logsdir=/var/log/bastille
+ bastille_pf_conf=/etc/pf.conf
+ bastille_sharedir=/usr/local/share/bastille
+ bastille_bootstrap_archives=base
+ bastille_tzdata=''
+ bastille_resolv_conf=/etc/resolv.conf
+ bastille_url_freebsd=http://ftp.freebsd.org/pub/FreeBSD/releases/
+ bastille_url_hardenedbsd=https://installers.hardenedbsd.org/pub/
+ bastille_url_midnightbsd=https://www.midnightbsd.org/ftp/MidnightBSD/releases/
+ bastille_zfs_enable=YES
+ bastille_zfs_zpool=zroot
+ bastille_zfs_prefix=bastille
+ bastille_zfs_options='-o compress=lz4 -o atime=off'
+ bastille_compress_xz_options='-0 -v'
+ bastille_decompress_xz_options='-c -d -v'
+ bastille_compress_gz_options='-1 -v'
+ bastille_decompress_gz_options='-k -d -c -v'
+ bastille_export_options=''
+ bastille_network_loopback=bastille0
+ bastille_network_pf_ext_if=ext_if
+ bastille_network_pf_table=jails
+ bastille_network_shared=''
+ bastille_network_gateway=1.2.3.4
+ bastille_network_gateway6=''
+ bastille_template_base=default/base
+ bastille_template_empty=''
+ bastille_template_thick=default/thick
+ bastille_template_clone=default/clone
+ bastille_template_thin=default/thin
+ bastille_template_vnet=default/vnet
+ COLOR_RED=''
+ COLOR_GREEN=''
+ COLOR_YELLOW=''
+ COLOR_RESET=''
+ [ -z '' ]
+ [ -t 1 ]
+ enable_color
+ . /usr/local/share/bastille/colors.pre.sh
+ COLOR_RESET='\033[0;0m'
+ COLOR_BOLD='\033[1m'
+ COLOR_UNDER='\033[4m'
+ COLOR_BLINK='\033[5m'
+ COLOR_INVERSE='\033[7m'
+ COLOR_BLACK='\033[0;30m'
+ COLOR_RED='\033[0;31m'
+ COLOR_GREEN='\033[0;32m'
+ COLOR_BROWN='\033[0;33m'
+ COLOR_BLUE='\033[0;34m'
+ COLOR_MAGENTA='\033[0;35m'
+ COLOR_CYAN='\033[0;36m'
+ COLOR_LIGHT_GRAY='\033[0;37m'
+ COLOR_DARK_GRAY='\033[1;30m'
+ COLOR_LIGHT_RED='\033[1;31m'
+ COLOR_LIGHT_GREEN='\033[1;32m'
+ COLOR_YELLOW='\033[1;33m'
+ COLOR_LIGHT_BLUE='\033[1;34m'
+ COLOR_LIGHT_MAGENTA='\033[1;35m'
+ COLOR_LIGHT_CYAN='\033[1;36m'
+ COLOR_WHITE='\033[1;37m'
+ COLOR_BG_BLACK='\033[40m'
+ COLOR_BG_RED='\033[41m'
+ COLOR_BG_GREEN='\033[42m'
+ COLOR_BG_BROWN='\033[43m'
+ COLOR_BG_BLUE='\033[44m'
+ COLOR_BG_MAGENTA='\033[45m'
+ COLOR_BG_CYAN='\033[46m'
+ COLOR_BG_LIGHT_GRAY='\033[47m'
+ . /usr/local/etc/bastille/bastille.conf
+ bastille_prefix=/usr/local/bastille
+ bastille_backupsdir=/usr/local/bastille/backups
+ bastille_cachedir=/usr/local/bastille/cache
+ bastille_jailsdir=/usr/local/bastille/jails
+ bastille_releasesdir=/usr/local/bastille/releases
+ bastille_templatesdir=/usr/local/bastille/templates
+ bastille_logsdir=/var/log/bastille
+ bastille_pf_conf=/etc/pf.conf
+ bastille_sharedir=/usr/local/share/bastille
+ bastille_bootstrap_archives=base
+ bastille_tzdata=''
+ bastille_resolv_conf=/etc/resolv.conf
+ bastille_url_freebsd=http://ftp.freebsd.org/pub/FreeBSD/releases/
+ bastille_url_hardenedbsd=https://installers.hardenedbsd.org/pub/
+ bastille_url_midnightbsd=https://www.midnightbsd.org/ftp/MidnightBSD/releases/
+ bastille_zfs_enable=YES
+ bastille_zfs_zpool=zroot
+ bastille_zfs_prefix=bastille
+ bastille_zfs_options='-o compress=lz4 -o atime=off'
+ bastille_compress_xz_options='-0 -v'
+ bastille_decompress_xz_options='-c -d -v'
+ bastille_compress_gz_options='-1 -v'
+ bastille_decompress_gz_options='-k -d -c -v'
+ bastille_export_options=''
+ bastille_network_loopback=bastille0
+ bastille_network_pf_ext_if=ext_if
+ bastille_network_pf_table=jails
+ bastille_network_shared=''
+ bastille_network_gateway=1.2.3.4
+ bastille_network_gateway6=''
+ bastille_template_base=default/base
+ bastille_template_empty=''
+ bastille_template_thick=default/thick
+ bastille_template_clone=default/clone
+ bastille_template_thin=default/thin
+ bastille_template_vnet=default/vnet
+ grep '^[[:space:]]*ext_if[[:space:]]*=' /etc/pf.conf
+ awk '-F"' '{print $2}'
+ RDR_IF=ix0
+ RDR_SRC=any
+ RDR_DST=any
+ RDR_INET=dual
+ OPTION_IF=0
+ OPTION_SRC=0
+ OPTION_DST=0
+ OPTION_INET_TYPE=0
+ [ 8 -gt 0 ]
+ [ ipv4 '!=' ipv4 ]
+ OPTION_INET_TYPE=1
+ RDR_INET=ipv4
+ shift 2
+ [ 6 -gt 0 ]
+ ifconfig
+ grep -owq 'inet 1.2.3.4'
+ OPTION_DST=1
+ RDR_DST=1.2.3.4
+ shift 2
+ [ 4 -gt 0 ]
+ break
+ [ 4 -lt 2 ]
+ TARGET=1-proxy
+ JAIL_IP=''
+ JAIL_IP6=''
+ shift
+ bastille_root_check
+ id -u
+ [ 0 -ne 0 ]
+ set_target_single 1-proxy
+ local '_TARGET=1-proxy'
+ [ 1-proxy '=' ALL ]
+ [ 1-proxy '=' all ]
+ check_target_exists 1-proxy
+ local '_TARGET=1-proxy'
+ [ ! -d /usr/local/bastille/jails/1-proxy ]
+ return 0
+ JAILS=1-proxy
+ TARGET=1-proxy
+ export JAILS
+ export TARGET
+ [ 3 -gt 0 ]
+ [ 3 -lt 3 ]
+ [ 0 -eq 1 ]
+ [ 1 -eq 1 ]
+ [ 1 -ne 1 ]
+ [ 3 -eq 3 ]
+ check_jail_validity
+ bastille config 1-proxy get vnet
+ . /usr/local/etc/bastille/bastille.conf
+ bastille_prefix=/usr/local/bastille
+ bastille_backupsdir=/usr/local/bastille/backups
+ bastille_cachedir=/usr/local/bastille/cache
+ bastille_jailsdir=/usr/local/bastille/jails
+ bastille_releasesdir=/usr/local/bastille/releases
+ bastille_templatesdir=/usr/local/bastille/templates
+ bastille_logsdir=/var/log/bastille
+ bastille_pf_conf=/etc/pf.conf
+ bastille_sharedir=/usr/local/share/bastille
+ bastille_bootstrap_archives=base
+ bastille_tzdata=''
+ bastille_resolv_conf=/etc/resolv.conf
+ bastille_url_freebsd=http://ftp.freebsd.org/pub/FreeBSD/releases/
+ bastille_url_hardenedbsd=https://installers.hardenedbsd.org/pub/
+ bastille_url_midnightbsd=https://www.midnightbsd.org/ftp/MidnightBSD/releases/
+ bastille_zfs_enable=YES
+ bastille_zfs_zpool=zroot
+ bastille_zfs_prefix=bastille
+ bastille_zfs_options='-o compress=lz4 -o atime=off'
+ bastille_compress_xz_options='-0 -v'
+ bastille_decompress_xz_options='-c -d -v'
+ bastille_compress_gz_options='-1 -v'
+ bastille_decompress_gz_options='-k -d -c -v'
+ bastille_export_options=''
+ bastille_network_loopback=bastille0
+ bastille_network_pf_ext_if=ext_if
+ bastille_network_pf_table=jails
+ bastille_network_shared=''
+ bastille_network_gateway=1.2.3.4
+ bastille_network_gateway6=''
+ bastille_template_base=default/base
+ bastille_template_empty=''
+ bastille_template_thick=default/thick
+ bastille_template_clone=default/clone
+ bastille_template_thin=default/thin
+ bastille_template_vnet=default/vnet
+ COLOR_RED=''
+ COLOR_GREEN=''
+ COLOR_YELLOW=''
+ COLOR_RESET=''
+ [ -z '' ]
+ [ -t 1 ]
+ bastille_conf_check
+ [ ! -r /usr/local/etc/bastille/bastille.conf ]
+ . /usr/local/etc/bastille/bastille.conf
+ bastille_prefix=/usr/local/bastille
+ bastille_backupsdir=/usr/local/bastille/backups
+ bastille_cachedir=/usr/local/bastille/cache
+ bastille_jailsdir=/usr/local/bastille/jails
+ bastille_releasesdir=/usr/local/bastille/releases
+ bastille_templatesdir=/usr/local/bastille/templates
+ bastille_logsdir=/var/log/bastille
+ bastille_pf_conf=/etc/pf.conf
+ bastille_sharedir=/usr/local/share/bastille
+ bastille_bootstrap_archives=base
+ bastille_tzdata=''
+ bastille_resolv_conf=/etc/resolv.conf
+ bastille_url_freebsd=http://ftp.freebsd.org/pub/FreeBSD/releases/
+ bastille_url_hardenedbsd=https://installers.hardenedbsd.org/pub/
+ bastille_url_midnightbsd=https://www.midnightbsd.org/ftp/MidnightBSD/releases/
+ bastille_zfs_enable=YES
+ bastille_zfs_zpool=zroot
+ bastille_zfs_prefix=bastille
+ bastille_zfs_options='-o compress=lz4 -o atime=off'
+ bastille_compress_xz_options='-0 -v'
+ bastille_decompress_xz_options='-c -d -v'
+ bastille_compress_gz_options='-1 -v'
+ bastille_decompress_gz_options='-k -d -c -v'
+ bastille_export_options=''
+ bastille_network_loopback=bastille0
+ bastille_network_pf_ext_if=ext_if
+ bastille_network_pf_table=jails
+ bastille_network_shared=''
+ bastille_network_gateway=1.2.3.4
+ bastille_network_gateway6=''
+ bastille_template_base=default/base
+ bastille_template_empty=''
+ bastille_template_thick=default/thick
+ bastille_template_clone=default/clone
+ bastille_template_thin=default/thin
+ bastille_template_vnet=default/vnet
+ : ext_if
+ : jails
+ bastille_perms_check
+ [ -d /usr/local/bastille ]
+ stat -f %Op /usr/local/bastille
+ BASTILLE_PREFIX_PERMS=40750
+ [ 40750 '!=' 40750 ]
+ BASTILLE_VERSION=0.12.20241124
+ [ 4 -lt 1 ]
+ CMD=config
+ shift
+ [ 3 -eq 0 ]
+ [ 1-proxy '!=' help ]
+ [ 1-proxy '!=' -h ]
+ [ 1-proxy '!=' --help ]
+ TARGET=1-proxy
+ shift
+ [ config '=' rcp ]
+ [ config '=' cp ]
+ [ 1-proxy '=' ALL ]
+ [ config '=' pkg ]
+ [ 1-proxy '=' --host ]
+ [ config '=' template ]
+ JAILS=1-proxy
+ [ ! -d /usr/local/bastille/jails/1-proxy ]
+ export USE_HOST_PKG
+ export TARGET
+ export JAILS
+ SCRIPTPATH=/usr/local/share/bastille/config.sh
+ [ -f /usr/local/share/bastille/config.sh ]
+ : 022
+ umask 022
+ : sh
+ [ -n '' ]
+ exec sh /usr/local/share/bastille/config.sh get vnet
+ . /usr/local/etc/bastille/bastille.conf
+ bastille_prefix=/usr/local/bastille
+ bastille_backupsdir=/usr/local/bastille/backups
+ bastille_cachedir=/usr/local/bastille/cache
+ bastille_jailsdir=/usr/local/bastille/jails
+ bastille_releasesdir=/usr/local/bastille/releases
+ bastille_templatesdir=/usr/local/bastille/templates
+ bastille_logsdir=/var/log/bastille
+ bastille_pf_conf=/etc/pf.conf
+ bastille_sharedir=/usr/local/share/bastille
+ bastille_bootstrap_archives=base
+ bastille_tzdata=''
+ bastille_resolv_conf=/etc/resolv.conf
+ bastille_url_freebsd=http://ftp.freebsd.org/pub/FreeBSD/releases/
+ bastille_url_hardenedbsd=https://installers.hardenedbsd.org/pub/
+ bastille_url_midnightbsd=https://www.midnightbsd.org/ftp/MidnightBSD/releases/
+ bastille_zfs_enable=YES
+ bastille_zfs_zpool=zroot
+ bastille_zfs_prefix=bastille
+ bastille_zfs_options='-o compress=lz4 -o atime=off'
+ bastille_compress_xz_options='-0 -v'
+ bastille_decompress_xz_options='-c -d -v'
+ bastille_compress_gz_options='-1 -v'
+ bastille_decompress_gz_options='-k -d -c -v'
+ bastille_export_options=''
+ bastille_network_loopback=bastille0
+ bastille_network_pf_ext_if=ext_if
+ bastille_network_pf_table=jails
+ bastille_network_shared=''
+ bastille_network_gateway=1.2.3.4
+ bastille_network_gateway6=''
+ bastille_template_base=default/base
+ bastille_template_empty=''
+ bastille_template_thick=default/thick
+ bastille_template_clone=default/clone
+ bastille_template_thin=default/thin
+ bastille_template_vnet=default/vnet
+ COLOR_RED=''
+ COLOR_GREEN=''
+ COLOR_YELLOW=''
+ COLOR_RESET=''
+ [ -z '' ]
+ [ -t 1 ]
+ . /usr/local/etc/bastille/bastille.conf
+ bastille_prefix=/usr/local/bastille
+ bastille_backupsdir=/usr/local/bastille/backups
+ bastille_cachedir=/usr/local/bastille/cache
+ bastille_jailsdir=/usr/local/bastille/jails
+ bastille_releasesdir=/usr/local/bastille/releases
+ bastille_templatesdir=/usr/local/bastille/templates
+ bastille_logsdir=/var/log/bastille
+ bastille_pf_conf=/etc/pf.conf
+ bastille_sharedir=/usr/local/share/bastille
+ bastille_bootstrap_archives=base
+ bastille_tzdata=''
+ bastille_resolv_conf=/etc/resolv.conf
+ bastille_url_freebsd=http://ftp.freebsd.org/pub/FreeBSD/releases/
+ bastille_url_hardenedbsd=https://installers.hardenedbsd.org/pub/
+ bastille_url_midnightbsd=https://www.midnightbsd.org/ftp/MidnightBSD/releases/
+ bastille_zfs_enable=YES
+ bastille_zfs_zpool=zroot
+ bastille_zfs_prefix=bastille
+ bastille_zfs_options='-o compress=lz4 -o atime=off'
+ bastille_compress_xz_options='-0 -v'
+ bastille_decompress_xz_options='-c -d -v'
+ bastille_compress_gz_options='-1 -v'
+ bastille_decompress_gz_options='-k -d -c -v'
+ bastille_export_options=''
+ bastille_network_loopback=bastille0
+ bastille_network_pf_ext_if=ext_if
+ bastille_network_pf_table=jails
+ bastille_network_shared=''
+ bastille_network_gateway=1.2.3.4
+ bastille_network_gateway6=''
+ bastille_template_base=default/base
+ bastille_template_empty=''
+ bastille_template_thick=default/thick
+ bastille_template_clone=default/clone
+ bastille_template_thin=default/thin
+ bastille_template_vnet=default/vnet
+ [ 2 -eq 1 ]
+ [ 2 -gt 3 ]
+ bastille_root_check
+ id -u
+ [ 0 -ne 0 ]
+ ACTION=get
+ shift
+ [ 1 -ne 1 ]
+ PROPERTY=vnet
+ shift
+ VALUE=''
+ FILE=/usr/local/bastille/jails/1-proxy/jail.conf
+ [ ! -f /usr/local/bastille/jails/1-proxy/jail.conf ]
+ [ get '=' get ]
+ print_jail_conf /usr/local/bastille/jails/1-proxy/jail.conf
+ jail -f /usr/local/bastille/jails/1-proxy/jail.conf -e '
'
+ awk '-F=' -v 'property=vnet' '
                $1 == property {
                    # note that we have found the property
                    found = 1;
                    # check if there is a value for this property
                    if (NF == 2) {
                        # remove any quotes surrounding the string
                        sub(/^"/, "", $2);
                        sub(/"$/, "", $2);
                        print $2;
                    } else {
                        # no value, just the property name
                        print "enabled";
                    }
                    exit 0;
                }
                END {
                    # if we have not found anything we need to print a special
                    # string
                    if (! found) {
                        print("not set");
                        #  let the caller know that this is a warn condition
                        exit(120);
                    }
                }'
+ _output='not set'
+ [ 120 -eq 120 ]
+ warn 'not set'
+ echo -e 'not set'
+ [ get '=' set ]
+ exit 0
+ [ 'not set' '!=' enabled ]
+ bastille config 1-proxy get ip4.addr
+ sed 's/,/ /g'
+ . /usr/local/etc/bastille/bastille.conf
+ bastille_prefix=/usr/local/bastille
+ bastille_backupsdir=/usr/local/bastille/backups
+ bastille_cachedir=/usr/local/bastille/cache
+ bastille_jailsdir=/usr/local/bastille/jails
+ bastille_releasesdir=/usr/local/bastille/releases
+ bastille_templatesdir=/usr/local/bastille/templates
+ bastille_logsdir=/var/log/bastille
+ bastille_pf_conf=/etc/pf.conf
+ bastille_sharedir=/usr/local/share/bastille
+ bastille_bootstrap_archives=base
+ bastille_tzdata=''
+ bastille_resolv_conf=/etc/resolv.conf
+ bastille_url_freebsd=http://ftp.freebsd.org/pub/FreeBSD/releases/
+ bastille_url_hardenedbsd=https://installers.hardenedbsd.org/pub/
+ bastille_url_midnightbsd=https://www.midnightbsd.org/ftp/MidnightBSD/releases/
+ bastille_zfs_enable=YES
+ bastille_zfs_zpool=zroot
+ bastille_zfs_prefix=bastille
+ bastille_zfs_options='-o compress=lz4 -o atime=off'
+ bastille_compress_xz_options='-0 -v'
+ bastille_decompress_xz_options='-c -d -v'
+ bastille_compress_gz_options='-1 -v'
+ bastille_decompress_gz_options='-k -d -c -v'
+ bastille_export_options=''
+ bastille_network_loopback=bastille0
+ bastille_network_pf_ext_if=ext_if
+ bastille_network_pf_table=jails
+ bastille_network_shared=''
+ bastille_network_gateway=1.2.3.4
+ bastille_network_gateway6=''
+ bastille_template_base=default/base
+ bastille_template_empty=''
+ bastille_template_thick=default/thick
+ bastille_template_clone=default/clone
+ bastille_template_thin=default/thin
+ bastille_template_vnet=default/vnet
+ COLOR_RED=''
+ COLOR_GREEN=''
+ COLOR_YELLOW=''
+ COLOR_RESET=''
+ [ -z '' ]
+ [ -t 1 ]
+ bastille_conf_check
+ [ ! -r /usr/local/etc/bastille/bastille.conf ]
+ . /usr/local/etc/bastille/bastille.conf
+ bastille_prefix=/usr/local/bastille
+ bastille_backupsdir=/usr/local/bastille/backups
+ bastille_cachedir=/usr/local/bastille/cache
+ bastille_jailsdir=/usr/local/bastille/jails
+ bastille_releasesdir=/usr/local/bastille/releases
+ bastille_templatesdir=/usr/local/bastille/templates
+ bastille_logsdir=/var/log/bastille
+ bastille_pf_conf=/etc/pf.conf
+ bastille_sharedir=/usr/local/share/bastille
+ bastille_bootstrap_archives=base
+ bastille_tzdata=''
+ bastille_resolv_conf=/etc/resolv.conf
+ bastille_url_freebsd=http://ftp.freebsd.org/pub/FreeBSD/releases/
+ bastille_url_hardenedbsd=https://installers.hardenedbsd.org/pub/
+ bastille_url_midnightbsd=https://www.midnightbsd.org/ftp/MidnightBSD/releases/
+ bastille_zfs_enable=YES
+ bastille_zfs_zpool=zroot
+ bastille_zfs_prefix=bastille
+ bastille_zfs_options='-o compress=lz4 -o atime=off'
+ bastille_compress_xz_options='-0 -v'
+ bastille_decompress_xz_options='-c -d -v'
+ bastille_compress_gz_options='-1 -v'
+ bastille_decompress_gz_options='-k -d -c -v'
+ bastille_export_options=''
+ bastille_network_loopback=bastille0
+ bastille_network_pf_ext_if=ext_if
+ bastille_network_pf_table=jails
+ bastille_network_shared=''
+ bastille_network_gateway=1.2.3.4
+ bastille_network_gateway6=''
+ bastille_template_base=default/base
+ bastille_template_empty=''
+ bastille_template_thick=default/thick
+ bastille_template_clone=default/clone
+ bastille_template_thin=default/thin
+ bastille_template_vnet=default/vnet
+ : ext_if
+ : jails
+ bastille_perms_check
+ [ -d /usr/local/bastille ]
+ stat -f %Op /usr/local/bastille
+ BASTILLE_PREFIX_PERMS=40750
+ [ 40750 '!=' 40750 ]
+ BASTILLE_VERSION=0.12.20241124
+ [ 4 -lt 1 ]
+ CMD=config
+ shift
+ [ 3 -eq 0 ]
+ [ 1-proxy '!=' help ]
+ [ 1-proxy '!=' -h ]
+ [ 1-proxy '!=' --help ]
+ TARGET=1-proxy
+ shift
+ [ config '=' rcp ]
+ [ config '=' cp ]
+ [ 1-proxy '=' ALL ]
+ [ config '=' pkg ]
+ [ 1-proxy '=' --host ]
+ [ config '=' template ]
+ JAILS=1-proxy
+ [ ! -d /usr/local/bastille/jails/1-proxy ]
+ export USE_HOST_PKG
+ export TARGET
+ export JAILS
+ SCRIPTPATH=/usr/local/share/bastille/config.sh
+ [ -f /usr/local/share/bastille/config.sh ]
+ : 022
+ umask 022
+ : sh
+ [ -n '' ]
+ exec sh /usr/local/share/bastille/config.sh get ip4.addr
+ . /usr/local/etc/bastille/bastille.conf
+ bastille_prefix=/usr/local/bastille
+ bastille_backupsdir=/usr/local/bastille/backups
+ bastille_cachedir=/usr/local/bastille/cache
+ bastille_jailsdir=/usr/local/bastille/jails
+ bastille_releasesdir=/usr/local/bastille/releases
+ bastille_templatesdir=/usr/local/bastille/templates
+ bastille_logsdir=/var/log/bastille
+ bastille_pf_conf=/etc/pf.conf
+ bastille_sharedir=/usr/local/share/bastille
+ bastille_bootstrap_archives=base
+ bastille_tzdata=''
+ bastille_resolv_conf=/etc/resolv.conf
+ bastille_url_freebsd=http://ftp.freebsd.org/pub/FreeBSD/releases/
+ bastille_url_hardenedbsd=https://installers.hardenedbsd.org/pub/
+ bastille_url_midnightbsd=https://www.midnightbsd.org/ftp/MidnightBSD/releases/
+ bastille_zfs_enable=YES
+ bastille_zfs_zpool=zroot
+ bastille_zfs_prefix=bastille
+ bastille_zfs_options='-o compress=lz4 -o atime=off'
+ bastille_compress_xz_options='-0 -v'
+ bastille_decompress_xz_options='-c -d -v'
+ bastille_compress_gz_options='-1 -v'
+ bastille_decompress_gz_options='-k -d -c -v'
+ bastille_export_options=''
+ bastille_network_loopback=bastille0
+ bastille_network_pf_ext_if=ext_if
+ bastille_network_pf_table=jails
+ bastille_network_shared=''
+ bastille_network_gateway=1.2.3.4
+ bastille_network_gateway6=''
+ bastille_template_base=default/base
+ bastille_template_empty=''
+ bastille_template_thick=default/thick
+ bastille_template_clone=default/clone
+ bastille_template_thin=default/thin
+ bastille_template_vnet=default/vnet
+ COLOR_RED=''
+ COLOR_GREEN=''
+ COLOR_YELLOW=''
+ COLOR_RESET=''
+ [ -z '' ]
+ [ -t 1 ]
+ . /usr/local/etc/bastille/bastille.conf
+ bastille_prefix=/usr/local/bastille
+ bastille_backupsdir=/usr/local/bastille/backups
+ bastille_cachedir=/usr/local/bastille/cache
+ bastille_jailsdir=/usr/local/bastille/jails
+ bastille_releasesdir=/usr/local/bastille/releases
+ bastille_templatesdir=/usr/local/bastille/templates
+ bastille_logsdir=/var/log/bastille
+ bastille_pf_conf=/etc/pf.conf
+ bastille_sharedir=/usr/local/share/bastille
+ bastille_bootstrap_archives=base
+ bastille_tzdata=''
+ bastille_resolv_conf=/etc/resolv.conf
+ bastille_url_freebsd=http://ftp.freebsd.org/pub/FreeBSD/releases/
+ bastille_url_hardenedbsd=https://installers.hardenedbsd.org/pub/
+ bastille_url_midnightbsd=https://www.midnightbsd.org/ftp/MidnightBSD/releases/
+ bastille_zfs_enable=YES
+ bastille_zfs_zpool=zroot
+ bastille_zfs_prefix=bastille
+ bastille_zfs_options='-o compress=lz4 -o atime=off'
+ bastille_compress_xz_options='-0 -v'
+ bastille_decompress_xz_options='-c -d -v'
+ bastille_compress_gz_options='-1 -v'
+ bastille_decompress_gz_options='-k -d -c -v'
+ bastille_export_options=''
+ bastille_network_loopback=bastille0
+ bastille_network_pf_ext_if=ext_if
+ bastille_network_pf_table=jails
+ bastille_network_shared=''
+ bastille_network_gateway=1.2.3.4
+ bastille_network_gateway6=''
+ bastille_template_base=default/base
+ bastille_template_empty=''
+ bastille_template_thick=default/thick
+ bastille_template_clone=default/clone
+ bastille_template_thin=default/thin
+ bastille_template_vnet=default/vnet
+ [ 2 -eq 1 ]
+ [ 2 -gt 3 ]
+ bastille_root_check
+ id -u
+ [ 0 -ne 0 ]
+ ACTION=get
+ shift
+ [ 1 -ne 1 ]
+ PROPERTY=ip4.addr
+ shift
+ VALUE=''
+ FILE=/usr/local/bastille/jails/1-proxy/jail.conf
+ [ ! -f /usr/local/bastille/jails/1-proxy/jail.conf ]
+ [ get '=' get ]
+ print_jail_conf /usr/local/bastille/jails/1-proxy/jail.conf
+ jail -f /usr/local/bastille/jails/1-proxy/jail.conf -e '
'
+ awk '-F=' -v 'property=ip4.addr' '
                $1 == property {
                    # note that we have found the property
                    found = 1;
                    # check if there is a value for this property
                    if (NF == 2) {
                        # remove any quotes surrounding the string
                        sub(/^"/, "", $2);
                        sub(/"$/, "", $2);
                        print $2;
                    } else {
                        # no value, just the property name
                        print "enabled";
                    }
                    exit 0;
                }
                END {
                    # if we have not found anything we need to print a special
                    # string
                    if (! found) {
                        print("not set");
                        #  let the caller know that this is a warn condition
                        exit(120);
                    }
                }'
+ _output=10.111.1.1
+ [ 0 -eq 120 ]
+ echo 10.111.1.1
+ [ get '=' set ]
+ exit 0
+ _ip4_interfaces=10.111.1.1
+ bastille config 1-proxy get ip6.addr
+ sed 's/,/ /g'
+ . /usr/local/etc/bastille/bastille.conf
+ bastille_prefix=/usr/local/bastille
+ bastille_backupsdir=/usr/local/bastille/backups
+ bastille_cachedir=/usr/local/bastille/cache
+ bastille_jailsdir=/usr/local/bastille/jails
+ bastille_releasesdir=/usr/local/bastille/releases
+ bastille_templatesdir=/usr/local/bastille/templates
+ bastille_logsdir=/var/log/bastille
+ bastille_pf_conf=/etc/pf.conf
+ bastille_sharedir=/usr/local/share/bastille
+ bastille_bootstrap_archives=base
+ bastille_tzdata=''
+ bastille_resolv_conf=/etc/resolv.conf
+ bastille_url_freebsd=http://ftp.freebsd.org/pub/FreeBSD/releases/
+ bastille_url_hardenedbsd=https://installers.hardenedbsd.org/pub/
+ bastille_url_midnightbsd=https://www.midnightbsd.org/ftp/MidnightBSD/releases/
+ bastille_zfs_enable=YES
+ bastille_zfs_zpool=zroot
+ bastille_zfs_prefix=bastille
+ bastille_zfs_options='-o compress=lz4 -o atime=off'
+ bastille_compress_xz_options='-0 -v'
+ bastille_decompress_xz_options='-c -d -v'
+ bastille_compress_gz_options='-1 -v'
+ bastille_decompress_gz_options='-k -d -c -v'
+ bastille_export_options=''
+ bastille_network_loopback=bastille0
+ bastille_network_pf_ext_if=ext_if
+ bastille_network_pf_table=jails
+ bastille_network_shared=''
+ bastille_network_gateway=1.2.3.4
+ bastille_network_gateway6=''
+ bastille_template_base=default/base
+ bastille_template_empty=''
+ bastille_template_thick=default/thick
+ bastille_template_clone=default/clone
+ bastille_template_thin=default/thin
+ bastille_template_vnet=default/vnet
+ COLOR_RED=''
+ COLOR_GREEN=''
+ COLOR_YELLOW=''
+ COLOR_RESET=''
+ [ -z '' ]
+ [ -t 1 ]
+ bastille_conf_check
+ [ ! -r /usr/local/etc/bastille/bastille.conf ]
+ . /usr/local/etc/bastille/bastille.conf
+ bastille_prefix=/usr/local/bastille
+ bastille_backupsdir=/usr/local/bastille/backups
+ bastille_cachedir=/usr/local/bastille/cache
+ bastille_jailsdir=/usr/local/bastille/jails
+ bastille_releasesdir=/usr/local/bastille/releases
+ bastille_templatesdir=/usr/local/bastille/templates
+ bastille_logsdir=/var/log/bastille
+ bastille_pf_conf=/etc/pf.conf
+ bastille_sharedir=/usr/local/share/bastille
+ bastille_bootstrap_archives=base
+ bastille_tzdata=''
+ bastille_resolv_conf=/etc/resolv.conf
+ bastille_url_freebsd=http://ftp.freebsd.org/pub/FreeBSD/releases/
+ bastille_url_hardenedbsd=https://installers.hardenedbsd.org/pub/
+ bastille_url_midnightbsd=https://www.midnightbsd.org/ftp/MidnightBSD/releases/
+ bastille_zfs_enable=YES
+ bastille_zfs_zpool=zroot
+ bastille_zfs_prefix=bastille
+ bastille_zfs_options='-o compress=lz4 -o atime=off'
+ bastille_compress_xz_options='-0 -v'
+ bastille_decompress_xz_options='-c -d -v'
+ bastille_compress_gz_options='-1 -v'
+ bastille_decompress_gz_options='-k -d -c -v'
+ bastille_export_options=''
+ bastille_network_loopback=bastille0
+ bastille_network_pf_ext_if=ext_if
+ bastille_network_pf_table=jails
+ bastille_network_shared=''
+ bastille_network_gateway=1.2.3.4
+ bastille_network_gateway6=''
+ bastille_template_base=default/base
+ bastille_template_empty=''
+ bastille_template_thick=default/thick
+ bastille_template_clone=default/clone
+ bastille_template_thin=default/thin
+ bastille_template_vnet=default/vnet
+ : ext_if
+ : jails
+ bastille_perms_check
+ [ -d /usr/local/bastille ]
+ stat -f %Op /usr/local/bastille
+ BASTILLE_PREFIX_PERMS=40750
+ [ 40750 '!=' 40750 ]
+ BASTILLE_VERSION=0.12.20241124
+ [ 4 -lt 1 ]
+ CMD=config
+ shift
+ [ 3 -eq 0 ]
+ [ 1-proxy '!=' help ]
+ [ 1-proxy '!=' -h ]
+ [ 1-proxy '!=' --help ]
+ TARGET=1-proxy
+ shift
+ [ config '=' rcp ]
+ [ config '=' cp ]
+ [ 1-proxy '=' ALL ]
+ [ config '=' pkg ]
+ [ 1-proxy '=' --host ]
+ [ config '=' template ]
+ JAILS=1-proxy
+ [ ! -d /usr/local/bastille/jails/1-proxy ]
+ export USE_HOST_PKG
+ export TARGET
+ export JAILS
+ SCRIPTPATH=/usr/local/share/bastille/config.sh
+ [ -f /usr/local/share/bastille/config.sh ]
+ : 022
+ umask 022
+ : sh
+ [ -n '' ]
+ exec sh /usr/local/share/bastille/config.sh get ip6.addr
+ . /usr/local/etc/bastille/bastille.conf
+ bastille_prefix=/usr/local/bastille
+ bastille_backupsdir=/usr/local/bastille/backups
+ bastille_cachedir=/usr/local/bastille/cache
+ bastille_jailsdir=/usr/local/bastille/jails
+ bastille_releasesdir=/usr/local/bastille/releases
+ bastille_templatesdir=/usr/local/bastille/templates
+ bastille_logsdir=/var/log/bastille
+ bastille_pf_conf=/etc/pf.conf
+ bastille_sharedir=/usr/local/share/bastille
+ bastille_bootstrap_archives=base
+ bastille_tzdata=''
+ bastille_resolv_conf=/etc/resolv.conf
+ bastille_url_freebsd=http://ftp.freebsd.org/pub/FreeBSD/releases/
+ bastille_url_hardenedbsd=https://installers.hardenedbsd.org/pub/
+ bastille_url_midnightbsd=https://www.midnightbsd.org/ftp/MidnightBSD/releases/
+ bastille_zfs_enable=YES
+ bastille_zfs_zpool=zroot
+ bastille_zfs_prefix=bastille
+ bastille_zfs_options='-o compress=lz4 -o atime=off'
+ bastille_compress_xz_options='-0 -v'
+ bastille_decompress_xz_options='-c -d -v'
+ bastille_compress_gz_options='-1 -v'
+ bastille_decompress_gz_options='-k -d -c -v'
+ bastille_export_options=''
+ bastille_network_loopback=bastille0
+ bastille_network_pf_ext_if=ext_if
+ bastille_network_pf_table=jails
+ bastille_network_shared=''
+ bastille_network_gateway=1.2.3.4
+ bastille_network_gateway6=''
+ bastille_template_base=default/base
+ bastille_template_empty=''
+ bastille_template_thick=default/thick
+ bastille_template_clone=default/clone
+ bastille_template_thin=default/thin
+ bastille_template_vnet=default/vnet
+ COLOR_RED=''
+ COLOR_GREEN=''
+ COLOR_YELLOW=''
+ COLOR_RESET=''
+ [ -z '' ]
+ [ -t 1 ]
+ . /usr/local/etc/bastille/bastille.conf
+ bastille_prefix=/usr/local/bastille
+ bastille_backupsdir=/usr/local/bastille/backups
+ bastille_cachedir=/usr/local/bastille/cache
+ bastille_jailsdir=/usr/local/bastille/jails
+ bastille_releasesdir=/usr/local/bastille/releases
+ bastille_templatesdir=/usr/local/bastille/templates
+ bastille_logsdir=/var/log/bastille
+ bastille_pf_conf=/etc/pf.conf
+ bastille_sharedir=/usr/local/share/bastille
+ bastille_bootstrap_archives=base
+ bastille_tzdata=''
+ bastille_resolv_conf=/etc/resolv.conf
+ bastille_url_freebsd=http://ftp.freebsd.org/pub/FreeBSD/releases/
+ bastille_url_hardenedbsd=https://installers.hardenedbsd.org/pub/
+ bastille_url_midnightbsd=https://www.midnightbsd.org/ftp/MidnightBSD/releases/
+ bastille_zfs_enable=YES
+ bastille_zfs_zpool=zroot
+ bastille_zfs_prefix=bastille
+ bastille_zfs_options='-o compress=lz4 -o atime=off'
+ bastille_compress_xz_options='-0 -v'
+ bastille_decompress_xz_options='-c -d -v'
+ bastille_compress_gz_options='-1 -v'
+ bastille_decompress_gz_options='-k -d -c -v'
+ bastille_export_options=''
+ bastille_network_loopback=bastille0
+ bastille_network_pf_ext_if=ext_if
+ bastille_network_pf_table=jails
+ bastille_network_shared=''
+ bastille_network_gateway=1.2.3.4
+ bastille_network_gateway6=''
+ bastille_template_base=default/base
+ bastille_template_empty=''
+ bastille_template_thick=default/thick
+ bastille_template_clone=default/clone
+ bastille_template_thin=default/thin
+ bastille_template_vnet=default/vnet
+ [ 2 -eq 1 ]
+ [ 2 -gt 3 ]
+ bastille_root_check
+ id -u
+ [ 0 -ne 0 ]
+ ACTION=get
+ shift
+ [ 1 -ne 1 ]
+ PROPERTY=ip6.addr
+ shift
+ VALUE=''
+ FILE=/usr/local/bastille/jails/1-proxy/jail.conf
+ [ ! -f /usr/local/bastille/jails/1-proxy/jail.conf ]
+ [ get '=' get ]
+ print_jail_conf /usr/local/bastille/jails/1-proxy/jail.conf
+ jail -f /usr/local/bastille/jails/1-proxy/jail.conf -e '
'
+ awk '-F=' -v 'property=ip6.addr' '
                $1 == property {
                    # note that we have found the property
                    found = 1;
                    # check if there is a value for this property
                    if (NF == 2) {
                        # remove any quotes surrounding the string
                        sub(/^"/, "", $2);
                        sub(/"$/, "", $2);
                        print $2;
                    } else {
                        # no value, just the property name
                        print "enabled";
                    }
                    exit 0;
                }
                END {
                    # if we have not found anything we need to print a special
                    # string
                    if (! found) {
                        print("not set");
                        #  let the caller know that this is a warn condition
                        exit(120);
                    }
                }'
+ _output='not set'
+ [ 120 -eq 120 ]
+ warn 'not set'
+ echo -e 'not set'
+ [ get '=' set ]
+ exit 0
+ _ip6_interfaces='not set'
+ [ 10.111.1.1 '!=' 'not set' ]
+ [ 10.111.1.1 '!=' disable ]
+ echo 10.111.1.1
+ awk '{print $1}'
+ awk '-F|' '{print $2}'
+ JAIL_IP=''
+ [ 'not set' '!=' 'not set' ]
+ pfctl -sn
+ grep rdr-anchor
+ grep 'rdr/\*'
+ validate_rdr_rule ix0 any 1.2.3.4 tcp 443 443
+ local 'if=ix0'
+ local 'src=any'
+ local 'dst=1.2.3.4'
+ local 'proto=tcp'
+ local 'host_port=443'
+ local 'jail_port=443'
+ grep -qs 'ix0 any 1.2.3.4 tcp 443 443' /usr/local/bastille/jails/1-proxy/rdr.conf
+ persist_rdr_rule ipv4 ix0 any 1.2.3.4 tcp 443 443
+ local 'inet=ipv4'
+ local 'if=ix0'
+ local 'src=any'
+ local 'dst=1.2.3.4'
+ local 'proto=tcp'
+ local 'host_port=443'
+ local 'jail_port=443'
+ grep -qs 'ipv4 ix0 any 1.2.3.4 tcp 443 443' /usr/local/bastille/jails/1-proxy/rdr.conf
+ echo 'ipv4 ix0 any 1.2.3.4 tcp 443 443'
+ load_rdr_rule ipv4 ix0 any 1.2.3.4 tcp 443 443
+ local 'inet=ipv4'
+ local 'if_name=ix0'
+ local 'if=ext_if="ix0"'
+ local 'src=any'
+ local 'dst=1.2.3.4'
+ local 'proto=tcp'
+ local 'host_port=443'
+ local 'jail_port=443'
+ [ ipv4 '=' ipv4 ]
+ pfctl -a rdr/1-proxy -Psn
+ pfctl -a rdr/1-proxy -f-
+ printf '%s\nrdr pass on $%s inet proto %s from %s to %s port %s -> %s port %s\n' 'ext_if="ix0"' ext_if tcp any 1.2.3.4 443 '' 443
stdin:2: syntax error
pfctl: Syntax error in config file: pf rules not loaded
+ error_exit 'Failed to create IPv4 rdr rule "ix0 any 1.2.3.4 tcp 443 443"'
+ error_notify 'Failed to create IPv4 rdr rule "ix0 any 1.2.3.4 tcp 443 443"'
+ echo -e '\033[0;31mFailed to create IPv4 rdr rule "ix0 any 1.2.3.4 tcp 443 443"\033[0;0m'
Failed to create IPv4 rdr rule "ix0 any 1.2.3.4 tcp 443 443"
+ exit 1

[tschettervictor]

Ok I know what it is. Give me one sec...

[tschettervictor]

Try now.

[sveeke]

I had to eat so my response was a bit delayed, but seems that whatever you did worked!

# bastille rdr 1-proxy list
rdr pass on ix0 inet proto tcp from any to 1.2.3.4 port = 443 -> 10.111.1.1 port 443

And it seems to work since the proxy inside the jail is reachable from outside as well.

One nitpick may be that when Bastille reports back about the rdr rule, it still reports the more general rule as if there isn't a more limited scope:

 bastille restart 1-proxy
1-proxy redirects:
nat cleared
1-proxy: created
IPv4 tcp/443:443 on ix0

Instead of something like IPv4 tcp/443:443 to 1.2.3.4 on ix0. But as I said, this is a minor thing.

Thanks a lot for your work on this, it literally makes Bastille usable on servers with multiple IP addresses without having to hack the scripts all the time ;). And also kudos for your quick replies and fixing of the remaining bugs. I would have been helped with the -d option, but the -i, -t and -s options are also great features to have in any container management tool :).

[tschettervictor]

There are a lot of issues that were raised about TO, FROM, etc... concerning RDR. so that's why those other switches are also included

As for the other message, I'll see about changing it. I kind of just left if generic and to only shown if the rule successfully loads.

Thanks for testing...