Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 10 Feb 2006 09:27:52 +0100
From:      Uwe Doering <gemini@geminix.org>
To:        freebsd-stable@FreeBSD.ORG
Subject:   Re: OpenVPN within a Jail under 6.x ...
Message-ID:  <43EC4E88.2070009@geminix.org>
In-Reply-To: <200602091603.k19G3iKX019265@lurza.secnetix.de>
References:  <200602091603.k19G3iKX019265@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
Oliver Fromme wrote:
> Uwe Doering <gemini@geminix.org> wrote:
> [...]
>  > Now, since routes are a global resource in FreeBSD, is there a way to 
>  > prevent users from other jails on that machine from accessing that VPN, 
>  > too?  If it weren't possible to restrict access to a VPN to the jail it 
>  > is associated with the VPN would no longer be private I'd think.
> 
> Every jail has its own IP address.  Connections originating
> from a jail are forced to use the jail's IP address as their
> source address.  Therefore you can use a packet filter (IPFW
> or PF) to control where those packets are allowed to go.
> [...]

Thanks for pointing that out.  I must admit that I hadn't thought this 
through very thoroughly.  Now that you mention the fixed nature of a 
jail's IP address it is kind of obvious that you can filter on the 
source address.

However, I believe there is still a snag.  People tend to pick the same 
IP networks from the range of official private IP addresses for their 
internal LANs.  If you wanted to set up VPN tunnels to these LANs for a 
larger number of jails belonging to individual "owners" there is some 
likelihood that the routes to these LANs would overlap.  That is, since 
you cannot _route_ based on the source address of IP packets, at some 
point you would have a clash of interests between two or more owners of 
said jails.  As the administrator of the machine that carries these 
jails you would ultimately have to take a decision on who can have a VPN 
tunnel and who not.

Provided my analysis is correct this would mean that the approach of 
using just a packet filter for access control doesn't scale very well.

    Uwe
-- 
Uwe Doering         |  EscapeBox - Managed On-Demand UNIX Servers
gemini@geminix.org  |  http://www.escapebox.net

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43EC4E88.2070009>