From owner-freebsd-questions@freebsd.org  Wed Dec  7 06:11:51 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 96BF3C6B2BB
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Wed,  7 Dec 2016 06:11:51 +0000 (UTC)
 (envelope-from robroy@robroygregg.com)
Received: from mail.robroygregg.com
 (173-13-147-189-sfba.hfc.comcastbusiness.net [173.13.147.189])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7E9D7181E
 for <freebsd-questions@freebsd.org>; Wed,  7 Dec 2016 06:11:51 +0000 (UTC)
 (envelope-from robroy@robroygregg.com)
Received: from funmax (funmax.d.net [192.168.16.3])
 by mail.robroygregg.com (OpenSMTPD) with ESMTP id 071898ed;
 Tue, 6 Dec 2016 22:05:09 -0800 (PST)
Date: Tue, 6 Dec 2016 22:05:09 -0800 (PST)
From: Robroy Gregg <robroy@robroygregg.com>
X-X-Sender: robroy@funmax.d.net
To: lists@bertram-scharpf.de
cc: freebsd-questions@freebsd.org
Subject: Re: Closed port 22 in the jail redirects to the outer system
In-Reply-To: <584765FD.6050901@gmail.com>
Message-ID: <alpine.BSF.2.20.1612062144350.55755@funmax.d.net>
References: <20161207002440.GA26711@becker.bs.l> <584765FD.6050901@gmail.com>
User-Agent: Alpine 2.20 (BSF 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Dec 2016 06:11:51 -0000


Good day Bertram,

Bertram Scharpf wrote:

> How can I make a port 22 request fail if an SSH server is running on the 
> outer machine but not inside the jail?

If I've understood your situation correctly, the idea here's to configure 
the host FreeBSD system's ssh daemon to associate itself only with the 
host system's IP address.

By default, the ssh daemon associates itself with all IP addresses your 
computer's configured to use (host + jails), which leads to the 
fall-through effect you're experiencing when your jail's ssh daemon isn't 
running.

On the host system, edit /etc/ssh/sshd_config, and add a line like this, 
assuming your host system's IP is 10.0.0.1.

ListenAddress 10.0.0.1

Once the host system's ssh daemon has been re-started, it'll associate 
itself only with 10.0.0.1, instead of its default (0.0.0.0, which will 
match everything--including the IPs used by jails).

Happiness to you Bertram,
Robroy