Bastille Port Redirection and Persistence
Redirect TCP and UDP ports from host to container
Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.
- Follow @BastilleBSD on Twitter
- Follow @BastilleBSD on Mastodon
- Join the discussion BastilleBSD on Telegram
- Subscribe to BastilleBSD on YouTube
Bastille Port Redirection
Bastille supports redirecting (
rdr) ports from the host system into target
containers. This port redirection is commonly used when running Internet
services such as web servers, dns servers, email and many others. Any service
you want to make public outside of your cluster will likely require port
redirection (with some exceptions, see below).
Port Redirection Requirements
Port redirection is required for inbound connectivity to loopback (
containers or shared interface containers and is handled using a combination of
- pf.conf configured with the line:
ext_if=is defined in pf.conf
- bastille0 interface or shared external interface (em0, vtnet0, etc) used by container.
Note: Port redirection is not needed to access VNET-based containers.
Redirecting ports for inbound access to a containerized service can be done
manually using the
rdr sub-command or in an automated fashion using a
The three examples below will demonstrate redirecting the following:
- redirect port 2200 (host) to port 22 (container) to access ssh (-p 2200)
- redirect port 53 (host) to port 53 (container) to access dns
- redirect port 443 (host) to port 443 (container) to access https
Command Line Usage
bastille rdr TARGET tcp 2200 22 bastille rdr TARGET udp 53 53 bastille rdr TARGET tcp 443 443
Bastille Template Usage
RDR tcp 2200 22 RDR udp 53 53 RDR tcp 443 443
Additionally it is possible to
list existing rules for a container:
bastille rdr TARGET list
You may also need to clear redirect rules to remove access:
bastille rdr TARGET clear
Redirection rules are persistent by default. This means that any redirect rules
applied to a target will be written to an
rdr.conf for that target
tcp 2200 22 udp 53 53 tcp 443 443
The rules found in this file (one per line) will be loaded for the container each time it is started. Redirection rules are also automatically cleared when the container is stopped.
bastille edit TARGET rdr.conf to interactively edit (or manually create)
persistent redirection rules.
Redirecting ports from the host system to the internal network is simple with
rdr subcommand. This redirection can also be accomplished with the use of
templates to automate the process.
Defining port redirection rules allow external access to your internal
bastille0 network on a per port basis. While port redirection should not be
needed between containers on your
bastille0 interface, it is required to
access services from outside.