Giter Site home page Giter Site logo

Comments (3)

urosgruber avatar urosgruber commented on July 28, 2024

I'm using prestart/poststart hooks with combination of anchors to add and remove this per jail basis.

from libioc.

igalic avatar igalic commented on July 28, 2024

Would you mind sharing how, exactly?

from libioc.

urosgruber avatar urosgruber commented on July 28, 2024

So first of all some related pf.conf configuration. I'm using a separate lo1 interface to handle all the traffic.

table <jails> persist counters
nat-anchor "jail-nat/*"
rdr-anchor "jail-rdr/*"
pass quick log on lo0 from <jails> to $jail_out  # allow connection from jail to external IP
pass quick on lo1 from <jails> to 172.16.0.1. # DNS for jails

Might be that some lines are missing but I hope you get the idea of how to dynamically handle this.

Poststart hook

  • add current IP to jails table
  • create rule on the anchor (jail interconnection, this example only allow connect to itself)
  • create nat on the anchor (I allow only http and https)
#!/usr/bin/env sh

# -e  If non interactive then exit immediately if a command fails.
# -u  Treat unset variables as an error when substituting.
# -v  Print shell input lines as they are read.
# -x  Print commands and their arguments as they are executed.

set -e

# get current jid
_name=$IOC_ID
_jid=$IOC_JID

_ip=$(echo "$IOC_IP4_ADDR" | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')
_if=$(echo "$IOC_IP4_ADDR" | cut -d"|" -f1)
_eif="igb0"

# FW
printf "  + Allow outbound access    "
pfctl -t jails -T add $_ip 2>/dev/null
printf "pass on $_if from $_ip to $_ip\n" | pfctl -a "jail/$_name" -f -
echo "nat on $_eif inet proto tcp from $_ip to ! $_ip port "{ http, https }" -> (igb0:0)" | pfctl -a "jail-nat/$_name" -f -

Prestop hook

  • remove IP from jails table
  • remove rules for the anchor
  • remove nat from the anchor
#!/usr/bin/env sh

# -e  If non interactive then exit immediately if a command fails.
# -u  Treat unset variables as an error when substituting.
# -v  Print shell input lines as they are read.
# -x  Print commands and their arguments as they are executed.

set -e

_name=$IOC_ID
_jid=$IOC_JID

_ip=$(echo "$IOC_IP4_ADDR" | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')
_if=$(echo "$IOC_IP4_ADDR" | cut -d"|" -f1)

# FW
pfctl -t jails -T delete $_ip 2>/dev/null
pfctl -a "jail/$_name" -F rules 2>/dev/null
pfctl -a "jail-nat/$_name" -F nat 2>/dev/null

from libioc.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.