rdr

bastille rdr allows you to configure dynamic rdr rules for your containers without modifying pf.conf (assuming you are using the bastille0 interface for a private network and have enabled rdr-anchor 'rdr/*' in /etc/pf.conf as described in the Networking section).

Note: you need to be careful if host services are configured to run on all interfaces as this will include the jail interface - you should specify the interface they run on in rc.conf (or other config files)

# bastille rdr dev1 tcp 2001 22
[jail1]:
IPv4 tcp/2001:22  on em0

# bastille rdr dev1 list
rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22

# bastille rdr dev1 udp 2053 53
[jail1]:
IPv4 udp/2053:53 on em0

# bastille rdr dev1 list
rdr pass on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
rdr pass on em0 inet proto udp from any to any port = 2053 -> 10.17.89.1 port 53

# bastille rdr dev1 clear
nat cleared

The rdr command includes 4 additional options:

-d | --destination IP            Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.
-i | --interface   IF,IF         Specify interface(s) to apply rule to. Comman separated.
-s | --source      IP|table      Limit rdr to a source IP or table.
-t | --type        ipv4|ipv6     Specify IP type. Must be used if -s or -d are used. Defaults to both.
-x | --debug                     Enable debug mode.

# bastille rdr -i vtnet0 dev1 udp 8000 80
[jail1]:
IPv4 tcp/8000:80 on vtnet0

# bastille rdr -s 192.168.0.1 dev1 tcp 8080 81
[jail1]:
IPv4 tcp/8080:81 on em0

# bastille rdr -d 192.168.0.84 dev1 tcp 8082 82
[jail1]:
IPv4 tcp/8082:82 on em0

# bastille rdr -i vtnet0 -d 192.168.0.45 dev1 tcp 9000 9000
[jail1]:
IPv4 tcp/9000:9000 on vtnet0

# bastille rdr dev1 list
rdr pass on vtnet0 inet proto udp from any to any port = 2001 -> 10.17.89.1 port 22
rdr pass on em0 inet proto tcp from 192.168.0.1 to any port = 8080 -> 10.17.89.1 port 81
rdr pass on em0 inet proto tcp from any to 192.168.0.84 port = 8082 -> 10.17.89.1 port 82
rdr pass on vtnet0 inet proto tcp from any to 192.168.0.45 port = 9000 -> 10.17.89.1 port 9000

The options can be used together, as seen above.

If you have multiple interfaces assigned to your jail, bastille rdr will only redirect using the default one.

It is also possible to specify a pf table as the source, providing it exists. Simply use the table name instead of an IP address or subnet.

# bastille rdr --help
Usage: bastille rdr [option(s)] TARGET tcp|udp HOST_PORT JAIL_PORT [log LOG_OPTIONS]
                                TARGET clear|reset|list

    Options:

    -d | --destination IP            Limit rdr to a destination IP.
    -i | --interface   IF,IF         Specify interface(s) to apply rule to. Comma-separated.
    -s | --source      IP|TABLE      Limit rdr to a source IP or table.
    -t | --type        ipv4|ipv6     Specify IP type. Must be used if '-s' or '-d' are used. Defaults to both.
    -x | --debug                     Enable debug mode.