From owner-freebsd-questions@freebsd.org Wed Dec 7 20:51:56 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2D739C6B641 for ; Wed, 7 Dec 2016 20:51:56 +0000 (UTC) (envelope-from lists@bertram-scharpf.de) Received: from mout.kundenserver.de (mout.kundenserver.de [217.72.192.75]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mout.kundenserver.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7C6831818 for ; Wed, 7 Dec 2016 20:51:54 +0000 (UTC) (envelope-from lists@bertram-scharpf.de) Received: from becker.bs.l ([85.180.3.143]) by mrelayeu.kundenserver.de (mreue104 [212.227.15.145]) with ESMTPSA (Nemesis) id 0MYvSd-1cB20a3R4d-00Vja7 for ; Wed, 07 Dec 2016 21:51:51 +0100 Received: from bsch by becker.bs.l with local (Exim 4.87 (FreeBSD)) (envelope-from ) id 1cEjBv-0003Ky-9z for freebsd-questions@freebsd.org; Wed, 07 Dec 2016 21:51:51 +0100 Date: Wed, 7 Dec 2016 21:51:51 +0100 From: Bertram Scharpf To: freebsd-questions@freebsd.org Subject: Re: Closed port 22 in the jail redirects to the outer system Message-ID: <20161207205151.GA12525@becker.bs.l> Mail-Followup-To: freebsd-questions@freebsd.org References: <20161207002440.GA26711@becker.bs.l> <584765FD.6050901@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.7.1 (2016-10-04) Sender: Bertram Scharpf X-Provags-ID: V03:K0:e1jfv0G49XkXD6MJi11KqPLqsPeyjnl8+o/DZnslO1+Vy6rRU7P Tr6D+mKdX/Qe9rHcL2JBpeny7jG3aJhFMTx7MIVIZeXAPO7LlUc8OHzNlWPyWqBYTCAi46v HsZvli4Ux35cYxuDJUvb5+B1qtDN5xcOCCqsu4rBT+hMeaE0ZFouPmZH9XqoUGHHDJ+vBDg 6WPAB4CkCp5hN+Fcmqs0w== X-UI-Out-Filterresults: notjunk:1;V01:K0:2/pzcOvMoJk=:Vr0/SvoE3jILmN6+7XRh4m HkK/M+sDHgZRRAQqdqlFy3FXaLTh8GGiUlzljMXhebFL2r60pc/ScdsiHyUeLaFdRLoBgVoyZ s7jjXicUeHtLbtQUyrB8oM7d4b8dtFnL/yviK6OhO32RfJ0HCXg8RFtoJAm9Hilvz+GToXGP1 IZeMfZ0ig8HR12NiaXdNQevikT+kBq6pjskPM1K2zg6yqJASOR9TlzT6u9zlBCl/nE4b9qApH N72wmoOB2U86EWHUlCTfCZsQm5kiQKGD2DejE9xnjpY0cXv/C59RK0Zj7s2iDYtsD+yae/cJj 6LmJT1k4Len/n8QDNfjTiIzPF94Rg5t0rn3Mo3coNdrxvLSmh4Worh45P6sIqDrotWOGORlU/ 64Dd3UjO07390lOsBVZ31bTJVcbxfqmyCY2f7ekw28dvSWbX7YO0e3a3d/Zln4Lj7jSwBQXsC qkfv6udUjoyfHgghQfZbrDplSgcd5PW9dhC/ZRnfCKYjDWVg6RLSmpafPPvT/d9T+lOstH7No cEP0uMaUBu2MG5pEAIaa/EdYENx4FKAR1QzovA8jkPyziUI7bgqZZcSU5Yo71EiuYY4hfQMbC N9KsrzGpyBu9ljNsAnI0xv1d7QLddLlcsaGk3KZ2Ve9jDHaYTekzmP0F7qlQQ3AJMr/5KMZ5N od1BYcQ23xXAVwOFGR4UZe81X1RbRopIzcOs6m1uTGjcJN7iXh9vczHWkOe3RWBeD+PI= X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Dec 2016 20:51:56 -0000 On Tuesday, 06. Dec 2016, 22:05:09 -0800, Robroy Gregg wrote: > Bertram Scharpf wrote: > > > How can I make a port 22 request fail if an SSH server is running on the > > outer machine but not inside the jail? > > If I've understood your situation correctly, the idea here's to configure > the host FreeBSD system's ssh daemon to associate itself only with the > host system's IP address. > > By default, the ssh daemon associates itself with all IP addresses your > computer's configured to use (host + jails), which leads to the > fall-through effect you're experiencing when your jail's ssh daemon isn't > running. That's exactly what I meant. I don't know why, but I always thought a jail should grab all requests on its IP and then look up a server process. > On the host system, edit /etc/ssh/sshd_config, and add a line like this, > assuming your host system's IP is 10.0.0.1. > > ListenAddress 10.0.0.1 I should have found this myself. Sorry for the noise. Thank you! Bertram -- Bertram Scharpf Stuttgart, Deutschland/Germany http://www.bertram-scharpf.de