From owner-freebsd-questions@freebsd.org  Thu Oct 19 17:32:25 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id DEA65E4211B
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Thu, 19 Oct 2017 17:32:25 +0000 (UTC)
 (envelope-from sgk@troutmask.apl.washington.edu)
Received: from troutmask.apl.washington.edu (troutmask.apl.washington.edu
 [128.95.76.21])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "troutmask", Issuer "troutmask" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id C3F6873E25
 for <freebsd-questions@freebsd.org>; Thu, 19 Oct 2017 17:32:25 +0000 (UTC)
 (envelope-from sgk@troutmask.apl.washington.edu)
Received: from troutmask.apl.washington.edu (localhost [127.0.0.1])
 by troutmask.apl.washington.edu (8.15.2/8.15.2) with ESMTPS id v9JHWORP031834
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <freebsd-questions@freebsd.org>; Thu, 19 Oct 2017 10:32:24 -0700 (PDT)
 (envelope-from sgk@troutmask.apl.washington.edu)
Received: (from sgk@localhost)
 by troutmask.apl.washington.edu (8.15.2/8.15.2/Submit) id v9JHWO9O031833
 for freebsd-questions@freebsd.org; Thu, 19 Oct 2017 10:32:24 -0700 (PDT)
 (envelope-from sgk)
Date: Thu, 19 Oct 2017 10:32:24 -0700
From: Steve Kargl <sgk@troutmask.apl.washington.edu>
To: freebsd-questions@freebsd.org
Subject: Two jail questions
Message-ID: <20171019173224.GA31648@troutmask.apl.washington.edu>
Reply-To: sgk@troutmask.apl.washington.edu
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.7.2 (2016-11-26)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Oct 2017 17:32:26 -0000


1) If an application (e.g., sshd) needs to reach the internet from a
   jail, is it required to have the host system running pf (or other
   packet filtering software)?

2) Suppose I have to classes of users on a system: normal users and
   guest users.  For normal users (including those that are members
   of the wheel group), I would like those individuals to be able
   to use ssh to connect to the host system.  For guest users, I 
   want to isolate those users in a jailed environment.  Thus, I'll
   have sshd running in both the host and jail.  How do I setup 
   such a scheme?

-- 
Steve