From owner-freebsd-questions@freebsd.org Thu Oct 19 17:44:16 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6BDC7E42744 for ; Thu, 19 Oct 2017 17:44:16 +0000 (UTC) (envelope-from jd1008@gmail.com) Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 31AA0748CC for ; Thu, 19 Oct 2017 17:44:16 +0000 (UTC) (envelope-from jd1008@gmail.com) Received: by mail-it0-x22b.google.com with SMTP id 72so10673457itk.3 for ; Thu, 19 Oct 2017 10:44:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=7lZcQw07xZFBAreQqnkIR5cKGjsQ+rSKjYUPI/dpe3g=; b=jcQiUohseUWWsTL4NRb3Hsg1R6Y/AUT3H8faWfgvBIngrV3rDHUrsgQ3vR2wlt+QeT I/lEV4IQNZJ4Wn0DGmlIHqlC20Wvsk0DnhzPuymKcLRUeFoPCMqhkMViBHGcrWfYvh84 VW7cNyx93jVCR5jH7wecqlHmJ3l6SCDTUrqZhJxIzKIBurUj3aL8FF8bbDpWaBrV3P1h 9efbJz85HsHzL5JMe+0wP1UteS9tccfyNJzARmPdtU07fVh+tom9zJpUHwpEemsEuugS nKJA/F3XhB1m5zqV0KSnFRCHEAlQjXzINa0LaQy8LVYAzVpj+PB5BDtdjkiZBWRZvBhZ JDbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=7lZcQw07xZFBAreQqnkIR5cKGjsQ+rSKjYUPI/dpe3g=; b=I/7zwoCPxbH/YeEYlGm+UnErcqsyhWgmdpbyaaPg/NAQVQB9ko7AGwk19nNXK6bZdm wdY7qCwtew+Uucd/ZBlZ9nGxhcObRGvbs2jVUw6DGKtVnX22+iigFYqeNeS/vRcFTML4 ePs2+UsmRKVr/5dhgEwBfeQp5IX+JQXGrRaZVp83IPmF+DQDCZ7RS7JTrJKUd5QDJ2HC Jpn7GmACGegEtinrxnUksVt+OraSBjL948h9kJVaPq6MUWZZlKlP4ukwRc6FKM/p2oB2 CKaNAiML5+Ucxk9o9XVfL5VjE+vI1RVqsDmWmH/IQzzdy5581FRVIrlBiplEMp31C6p3 SNpA== X-Gm-Message-State: AMCzsaUd/qw8W0v8V9P2qrwn8c1xZJe9ldPuAd4XNCLGBNITv2rrUySa wid6Oz50nBRQk33PIYmiiDzKQA== X-Google-Smtp-Source: ABhQp+Suw/GzhkBSQbagZuLquDYCJkrXEXKkjNt7YOgutVLhKobPrY+c1wODHT2woeDqAAQGYOo39w== X-Received: by 10.36.246.76 with SMTP id u73mr3456614ith.55.1508435055465; Thu, 19 Oct 2017 10:44:15 -0700 (PDT) Received: from localhost.localdomain (50-243-4-3-static.hfc.comcastbusiness.net. [50.243.4.3]) by smtp.googlemail.com with ESMTPSA id v8sm878324itb.42.2017.10.19.10.44.14 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Oct 2017 10:44:14 -0700 (PDT) Subject: Re: Two jail questions To: freebsd-questions@freebsd.org References: <20171019173224.GA31648@troutmask.apl.washington.edu> From: JD Message-ID: <59E8E464.2040205@gmail.com> Date: Thu, 19 Oct 2017 11:44:04 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.0.1 MIME-Version: 1.0 In-Reply-To: <20171019173224.GA31648@troutmask.apl.washington.edu> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Oct 2017 17:44:16 -0000 On 10/19/2017 11:32 AM, Steve Kargl wrote: > 1) If an application (e.g., sshd) needs to reach the internet from a > jail, is it required to have the host system running pf (or other > packet filtering software)? > > 2) Suppose I have to classes of users on a system: normal users and > guest users. For normal users (including those that are members > of the wheel group), I would like those individuals to be able > to use ssh to connect to the host system. For guest users, I > want to isolate those users in a jailed environment. Thus, I'll > have sshd running in both the host and jail. How do I setup > such a scheme? > You might want to read https://access.redhat.com/solutions/284873 https://linuxconfig.org/how-to-automatically-chroot-jail-selected-ssh-user-logins