Bastille Networking in Depth
FreeBSD is known for it’s powerful networking. Bastille can leverage that power.
Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.
- Follow @BastilleBSD on Twitter
- Join the discussion BastilleBSD on Discord
- Join the discussion BastilleBSD on Telegram
- Subscribe to BastilleBSD on YouTube
Bastille Networking Options
LAN (host alias)
FreeBSD networking is known to be robust and reliable. This makes a great platform to host containerized applications and offers a flexibility of options allowing for a range of networks.
Bastille supports both IPv4 and IPv6 networks including assigning multiple addresses to a container interface.
The “loopback” design creates a non-routable loopback interface on the host system and assigns each container an address on this interface.
Containers attached to this loopback interface are unable to access traffic
destined for another container despite sharing an interface. In this design
containers are restricted with
allow.raw_sockets=0, disallowing any packet
sniffing or similar behavior. This restrictions also disallows the use of
ping inside the container.
This is the default network design and easily flexible across networks and infrastructures (on-premise, data-center, cloud, etc). A host firewall is required in this design further securing the host and containers.
A quick one-time setup is required in this design:
sysrc cloned_interfaces+=lo1 sysrc ifconfig_lo1_name=bastille0 service netif cloneup
ext_if="vtnet0" set block-policy return scrub in on $ext_if all fragment reassemble set skip on lo table <jails> persist nat on $ext_if from <jails> to any -> ($ext_if) rdr-anchor "rdr/*" block in all pass out quick keep state antispoof for $ext_if inet pass in inet proto tcp from any to any port ssh flags S/SA keep state
ext_if= in the example must be updated to match the name of the
host external interface. This is usually
bastille create nginx 12.2-RELEASE 10.17.89.10 bastille0
bastille create nginx 12.2-RELEASE fde3:e1d5:8af6:5a79::13 bastille0
LAN (host alias)
The “LAN” design uses the hosts existing interface(s) and assigns container
addresses as aliases to these interfaces. In FreeBSD interfaces are named after
the hardware/driver. This means you’ll find a range of interface names such as
bastille create nginx 12.2-RELEASE 192.168.1.13 re0
bastille create nginx 12.2-RELEASE fde3:e1d5:8af6:5a79::13 re0
VNET support was added in the second half of the 0.6.x series (0.6.20200224).
VNET (virtual network) provides a virtual network interface to the container. In this design the container does not share an interface with any other containers. This is the only design that supports private interfaces and DHCP.
Connectivity is achieved by attaching this virtual interface to a bridge interface on the host by way of an epair. An epair interface comes in two parts, an epairXa and an epairXb. The epairXa interface is attached to the bridge interface and the epairXb interface is passed to the container and renamed vnet0.
In Bastille’s VNET design each container is assigned a unique epair. These
epair interfaces will named
e0[ab]_vnetX. One side of the epair,
will be added to the bridge while
e0b_vnetX will be present only within the
container and renamed by Bastille to
Creating a VNET container requires using one of the
options as well as providing a network interface name. The network interface
provided will be added to the bridge interface along with container(s)
providing the physical link to the public network.
As of the 0.6.20200224 release, the default route is defined for a VNET conatiner by copying the host’s default route.
Bastille provides a shortcut to creating a DHCP-enabled container. Simply
provide the IP
0.0.0.0 and the container will be configured to use DHCP.
bastille create -V nginx 12.2-RELEASE 0.0.0.0 re0
bastille create -V nginx 12.2-RELEASE 192.168.1.13 re0
bastille create -V nginx 12.2-RELEASE fde3:e1d5:8af6:5a79::13 re0