From owner-freebsd-questions@freebsd.org Thu Oct 19 17:46:15 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CFEFEE42880 for ; Thu, 19 Oct 2017 17:46:15 +0000 (UTC) (envelope-from amvandemore@gmail.com) Received: from mail-it0-x233.google.com (mail-it0-x233.google.com [IPv6:2607:f8b0:4001:c0b::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 96F6074ABE for ; Thu, 19 Oct 2017 17:46:15 +0000 (UTC) (envelope-from amvandemore@gmail.com) Received: by mail-it0-x233.google.com with SMTP id l196so10672722itl.4 for ; Thu, 19 Oct 2017 10:46:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=9urMpehUxfwyhHid2WYxAOJFxirOEW6fbtFnpsDublU=; b=NsDvOeFdn0L7nCQXwOeBqnSQrrvEhNcqG7/lDpDXB0CSwd7sBLLM1WIGX4kq/ZWdAe jx/5D+GpMl/Mr6dCbMk7zyC5lu5gt0cjWO2tdLjKPq6Ttw0FNExYBF3X9xfikA0haX/Q bnR/Zs1cLgMErSEw7S+aBfLW2bnShDINjsYDwKDpxC4ICu6xMPvZoJuSUbPVn+Dtbzux JOoLemcRfM8k1OFNhOutWRoHyC6203hOn1lYc1tqVqyLpWr3L/SVnwuKXdibsDB2awZx wCCN+g1Iww3flesEkaaV+5MJY2jJrV9MI4QZdi0p4ssoqk4sxqByIBLdWsJ77N1tnQBc yfag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=9urMpehUxfwyhHid2WYxAOJFxirOEW6fbtFnpsDublU=; b=BGkzfHWGNBFNGSBGzQdtTUS4Ms0znPNV2yn3dKHrN4rGBbjBEiRtlEOQHmxDM9sCm7 szQraaNVDB2dk75hW0uAcR9evSmv+KoWFt3RToLoespntKocEXh4RoL0B22yM0Pq3Zsy hi+x3II4gs5L4vROjXaTu6tB0+K61vuUmMOU0AhqQYQMcP5F3sC1DwwTbRtp6pEvg+se l/+HsIaSI/kZNYtZbF7SgZ8CMVgnADvDcsX/ZhfKQpHjG59DmnAsi/b9b8tEquMXA7eG tB5R0n50uguhrEaJcFCdYUFGutedRRcaP5DMPwb3meVV3kCAF78uczdAdkKPJT3lLTO7 /Irg== X-Gm-Message-State: AMCzsaX8c90MO3B2Dof9dc/m+buuSnLN/jzoflyhsKZyvgHBSwZVHjVE 3DRkkJXGsfTSgFKXJyasRGBcK3/dBUSdFmvlGvc= X-Google-Smtp-Source: ABhQp+SQReQR7DFSj3B4QbNVic7afYcoRIRtVJUxcctKxWEOMgSFtdkiBB8Vvi12Y1IbfG67pgOw/rCPTTEJwVdwkp4= X-Received: by 10.36.51.212 with SMTP id k203mr3608661itk.74.1508435175050; Thu, 19 Oct 2017 10:46:15 -0700 (PDT) MIME-Version: 1.0 Received: by 10.2.176.201 with HTTP; Thu, 19 Oct 2017 10:46:14 -0700 (PDT) In-Reply-To: <20171019173224.GA31648@troutmask.apl.washington.edu> References: <20171019173224.GA31648@troutmask.apl.washington.edu> From: Adam Vande More Date: Thu, 19 Oct 2017 12:46:14 -0500 Message-ID: Subject: Re: Two jail questions To: Steve Kargl Cc: FreeBSD Questions Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Oct 2017 17:46:15 -0000 On Thu, Oct 19, 2017 at 12:32 PM, Steve Kargl wrote: > > 1) If an application (e.g., sshd) needs to reach the internet from a > jail, is it required to have the host system running pf (or other > packet filtering software)? > No. See VNET/VIMAGE > 2) Suppose I have to classes of users on a system: normal users and > guest users. For normal users (including those that are members > of the wheel group), I would like those individuals to be able > to use ssh to connect to the host system. For guest users, I > want to isolate those users in a jailed environment. Thus, I'll > have sshd running in both the host and jail. How do I setup > such a scheme? > sshd in the jail needs to run on a different port if you're using the same ip, otherwise if you use an independent networking stack you would configure as normal. User X on host != User X on jail -- Adam