# No Networking In Bastille Jail



## Israel (Apr 20, 2022)

So, I thought I would try setting up a jail with Bastille. I found some documentation here:









						Bastille Networking in Depth | BastilleBSD
					

Bastille offers a number of networkings options for containerized applications.




					bastillebsd.org
				




So I put this in my /etc/rc.conf:

```
linux_enable="YES"
bastille_enable="YES"
cloned_interfaces="lo1"
ifconfig_lo1_name="bastille0"
```

I now have this in my /etc/pf.conf:

```
ext_if="wlan0"

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if)
rdr-anchor "rdr/*"

block in all
pass out quick keep state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state
```

This alone got errors and I found more on this link:






						Create an Ubuntu Linux jail on FreeBSD 12.2
					

Create a jailed Ubuntu Linux with Bastille on FreeBSD 12.2 Make sure Bastille is installed and configured. click here This is not offically supported, so don’t use it in production! update 2021/02/11: Auto Installer You could try the following POC for automated jail creation: DO NOT USE THIS IN...



					hackacad.net
				




I added the following to my /boot/loader.conf:

```
linprocfs_load="YES"
linsysfs_load="YES"
tmpfs_load="YES"
```

My /usr/local/bastille/jails/debian11/fstab has the following:

```
devfs           /usr/local/bastille/jails/debian11/root/dev      devfs           rw                      0       0
tmpfs           /usr/local/bastille/jails/debian11/root/dev/shm  tmpfs           rw,size=1g,mode=1777    0       0
fdescfs         /usr/local/bastille/jails/debian11/root/dev/fd   fdescfs         rw,linrdlnk             0       0
linprocfs       /usr/local/bastille/jails/debian11/root/proc     linprocfs       rw                      0       0
linsysfs        /usr/local/bastille/jails/debian11/root/sys      linsysfs        rw                      0       0
/tmp            /usr/local/bastille/jails/debian11/root/tmp      nullfs          rw                      0       0
```

I tried adding a /home directory, but it seems to reset on each try. This is the default though.

For /usr/local/bastille/jails/debian11/jail.conf I have this:

```
debian11 {
  host.hostname = debian11;
  mount.fstab = /usr/local/bastille/jails/debian11/fstab;
  path = /usr/local/bastille/jails/debian11/root;
  devfs_ruleset = 4;

  exec.start = '/bin/true';
  exec.stop = '/bin/true';
  persist;

  allow.mount;
  allow.mount.devfs;

  interface = bastille0;
  ip4.addr = 10.17.89.11;
  ip6 = disable;
}
```

After that I run the following as root:


```
bastille bootstrap bullseye
bastille create -L debian11 bullseye 10.17.89.11 bastille0
```

I then noticed the following error while the installation was completing:

```
Processing triggers for libc-bin (2.31-13+deb11u3) ...
Err:1 http://deb.debian.org/debian bullseye InRelease
  Temporary failure resolving 'deb.debian.org'
Reading package lists... Done   
Building dependency tree... Done
All packages are up to date.
W: Failed to fetch http://deb.debian.org/debian/dists/bullseye/InRelease  Temporary failure resolving 'deb.debian.org'
W: Some index files failed to download. They have been ignored, or old ones used instead.
```

I thought I could console into the jail and correct it, but there's zero networking. Oddly enough, the jls command shows the device and ip:


```
$ jls
   JID  IP Address      Hostname                      Path
     1  10.17.89.11     debian11                      /usr/local/bastille/jails/debian11/root
```

I can ping that ip from the host, but I can't get a ping to go out from inside the jail. I've tried restarting networking inside Debian, and yes, I know this is not a Debian forum. I tried rebooting the host. I tried running as a normal user and to sudo/doas the bastille commands. Documentation seems to be scattered and sparse on this set up Bastille. Any suggestions welcome.

EDIT: I found a site that said this might help, but no changes so far:

```
sysctl security.jail.allow_raw_sockets=1 
sysctl net.inet.ip.forwarding=1
```


----------



## SirDice (Apr 20, 2022)

Israel said:


> ```
> sysctl security.jail.allow_raw_sockets=1
> sysctl net.inet.ip.forwarding=1
> ```


Don't use these. The first is a deprecated setting, it sets `allow_raw_sockets` for _all_ your jails. This is now deprecated in favor of a per jail setting (see `allow.raw_sockets` in jail(8)). 
The second shouldn't be set like that, add `gateway_enable="YES"` to rc.conf.


----------



## Israel (Apr 21, 2022)

Okay, I removed those, added the gateway_enable line to /etc/rc.conf and rebooted. Still no luck:

`root@debian11:~# ping localhost
ping: socket: Protocol not supported`

EDIT: Okay, I found that even though ping didn't work, apt and other services are now working. Thanks SirDice!


----------



## odhiambo (Dec 10, 2022)

Israel said:


> Okay, I removed those, added the gateway_enable line to /etc/rc.conf and rebooted. Still no luck:
> 
> `root@debian11:~# ping localhost
> ping: socket: Protocol not supported`
> ...


And "allow.raw_sockets;" in jail.conf allows the jail to ping|traceroute outwards.


----------

