scip/bsdnix
1
0
Fork 0
Code Issues Pull Requests Activity

finally got the ipv6 jail stuff working, yeah

Browse Source
This commit is contained in:
Thomas von Dein 2024-11-20 18:15:48 +01:00
parent 2617b3860b
commit dd2714d315
8 changed files with 143 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
README.md
View File

@ -25,6 +25,37 @@ The `create.yaml` playbook will create a new vps if it doesn't exist
yet and the `deploy.yaml` playbook will then use the hetzner cloud
dynamic inventory to discover your vps.
### Hetzner cloud vps ipv6 only setup for jail+bridge operation
Here's how: the major problem is, that Hetzner sends all traffic to
the mac of the primary interface. By default the bridge has another
one, thus it doesn't work. Also, I had ipv6 forwarding turned off,
which is required for this to work.
Here's my setup:
host rc.conf:
```default
ifconfig_vtnet0="DHCP"
cloned_interfaces="bridge0"
create_args_bridge0="inet6 auto_linklocal -ifdisabled addm vtnet0"
ifconfig_vtnet0="up -tso -vlanhwtso DHCP"
ifconfig_bridge0="DHCP"
ifconfig_bridge0_ipv6="inet6 2a01:4f8:c013:6513::1 prefixlen 64"
ipv6_defaultrouter="fe80::1%bridge0"
```
host sysctl.conf
```default
net.link.bridge.inherit_mac=1
net.inet6.ip6.forwarding=1
```
host /boot/loader.conf:
```default
if_bridge_load=YES
```
### Setup ansible
- Create `group_vars/all/vars.yaml` with this content:

2
TODO.md
View File

@ -32,3 +32,5 @@ or using e3 using wrapper script around `jaildk exec dns knotc ...`
## Add users with authorized_keys files
## Add quota config and enable/configure rctl
## Fix jail DNS, doesn't work yet (pf missing?)

2
deploy.yaml
View File

@ -6,7 +6,7 @@
user: root
roles:
- role: server
- role: network
#- role: network
- role: firewall
- role: ssh
- role: jails

6
group_vars/all/all.yaml
View File

@ -13,7 +13,7 @@ packages:
release: 14.1-RELEASE
# snapshot to install in new vps
snapshot: FreeBSD-14.1-RELEASE-hcloud-init
snapshot: FreeBSD-14.1-RELEASE-p5-1-hcloud-init
location: fsn1
@ -39,11 +39,15 @@ storage:
name: /crontabs
netif:
primary: bridge0
kernel:
sysctls:
security.bsd.see_other_uids: 0
security.bsd.see_other_gids: 0
security.bsd.see_jail_proc: 0
net.inet6.ip6.forwarding: 1
sysctlsoff:
security.bsd.unprivileged_read_msgbuf: 0
security.bsd.unprivileged_proc_debug: 0

28
roles/firewall/templates/pf.conf.j2
View File

@ -1,9 +1,23 @@
#
# Look at past logs tcpdump -n -e -ttt -r /var/log/pflog
# Look at live logs (aka tail -f): tcpdump -n -e -ttt -i pflog0
#
# Look at entries in table <bad_hosts> (SSH Limit Block):
# pfctl -t bad_hosts -T show
# Delete an ip from table:
# pfctl -t bad_hosts -T delete $ip
ext_if="{{ ansible_default_ipv6.interface }}"
### Default block policy is to return a reset packet
set block-policy return
set block-policy drop
# fairness my ass
set optimization aggressive
### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble
### Ignore loopback interface
set skip on lo
@ -11,14 +25,22 @@ set skip on lo
table <jails> persist
### Block on incoming traffic
block in all
block in log all
### Allow outgoing, skip others rules if match, and track connections
pass out quick keep state
pass out inet6 keep state
### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface
### And block incoming traffic from $ext_if IP on $ext_if interface
antispoof for $ext_if inet6
### Allow SSH
pass in inet6 proto tcp from any to any port ssh flags S/SA keep state
table <bad_hosts> persist
pass in quick on $ext_if inet6 proto tcp from any to any port ssh \
flags S/SAFR keep state \
(max-src-conn-rate 10/60, \
overload <bad_hosts> flush global) label ServicesTCP
# ipv6 icmp
pass in quick inet6 proto icmp6 all keep state

10
roles/jails/tasks/main.yaml
View File

@ -37,5 +37,15 @@
regexp: '^(.*)quarterly(.*)$'
replace: '\1latest\2'
- name: determine ipv6 address
shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { print $2 }}'
register: primaryip
- name: setup bastille.conf
template:
src: bastille.conf.j2
dest: /usr/local/etc/bastille/bastille.conf
# - name: update bootstrap
# shell: "bastille update {{ release }}"

68
roles/jails/templates/bastille.conf.j2 Normal file
View File

@ -0,0 +1,68 @@
#####################
## [ BastilleBSD ] ##
#####################
## default paths
bastille_prefix="/usr/local/bastille" ## default: "/usr/local/bastille"
bastille_backupsdir="${bastille_prefix}/backups" ## default: "${bastille_prefix}/backups"
bastille_cachedir="${bastille_prefix}/cache" ## default: "${bastille_prefix}/cache"
bastille_jailsdir="${bastille_prefix}/jails" ## default: "${bastille_prefix}/jails"
bastille_releasesdir="${bastille_prefix}/releases" ## default: "${bastille_prefix}/releases"
bastille_templatesdir="${bastille_prefix}/templates" ## default: "${bastille_prefix}/templates"
bastille_logsdir="/var/log/bastille" ## default: "/var/log/bastille"
## pf configuration path
bastille_pf_conf="/etc/pf.conf" ## default: "/etc/pf.conf"
## bastille scripts directory (assumed by bastille pkg)
bastille_sharedir="/usr/local/share/bastille" ## default: "/usr/local/share/bastille"
## bootstrap archives, which components of the OS to install.
## base - The base OS, kernel + userland
## lib32 - Libraries for compatibility with 32 bit binaries
## ports - The FreeBSD ports (3rd party applications) tree
## src - The source code to the kernel + userland
## test - The FreeBSD test suite
## this is a whitespace separated list:
## bastille_bootstrap_archives="base lib32 ports src test"
bastille_bootstrap_archives="base" ## default: "base"
## default timezone
bastille_tzdata="" ## default: empty to use host's time zone
## default jail resolv.conf
bastille_resolv_conf="/etc/resolv.conf" ## default: "/etc/resolv.conf"
## bootstrap urls
bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/" ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/"
bastille_url_hardenedbsd="https://installers.hardenedbsd.org/pub/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/"
bastille_url_midnightbsd="https://www.midnightbsd.org/ftp/MidnightBSD/releases/" ## default: "https://www.midnightbsd.org/pub/MidnightBSD/releases/"
## ZFS options
bastille_zfs_enable="YES" ## default: ""
bastille_zfs_zpool="zroot" ## default: ""
bastille_zfs_prefix="bastille" ## default: "${bastille_zfs_zpool}/bastille"
bastille_zfs_options="-o compress=lz4 -o atime=off" ## default: "-o compress=lz4 -o atime=off"
## Export/Import options
bastille_compress_xz_options="-0 -v" ## default "-0 -v"
bastille_decompress_xz_options="-c -d -v" ## default "-c -d -v"
bastille_compress_gz_options="-1 -v" ## default "-1 -v"
bastille_decompress_gz_options="-k -d -c -v" ## default "-k -d -c -v"
bastille_export_options="" ## default "" predefined export options, e.g. "--safe --gz"
## Networking
bastille_network_loopback="bastille0" ## default: "bastille0"
bastille_network_pf_ext_if="ext_if" ## default: "ext_if"
bastille_network_pf_table="jails" ## default: "jails"
bastille_network_shared="" ## default: ""
bastille_network_gateway="" ## default: ""
bastille_network_gateway6="{{ primaryip.stdout }}" ## default: ""
## Default Templates
bastille_template_base="default/base" ## default: "default/base"
bastille_template_empty="" ## default: "default/empty"
bastille_template_thick="default/thick" ## default: "default/thick"
bastille_template_clone="default/clone" ## default: "default/clone"
bastille_template_thin="default/thin" ## default: "default/thin"
bastille_template_vnet="default/vnet" ## default: "default/vnet"

2
roles/pubnix/tasks/main.yaml
View File

@ -29,7 +29,7 @@
mountpoint: /data/home
- name: determine ipv6 address
shell: ifconfig vtnet0 inet6 | awk '{ if (/2a01/) { sub(/::.$/, "::2", $2); print $2 }}'
shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { sub(/::.$/, "::2", $2); print $2 }}'
register: jailip
- name: create jail