Date: Thu, 19 Oct 2017 13:57:33 -0400 From: Mark Moellering <markmoellering@psyberation.com> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Two jail questions Message-ID: <CAA0uU3VAtF3%2BpKG973ntQDpc8K6ZE==kmk-WZNNP3LY5v=f5ow@mail.gmail.com> In-Reply-To: <CA%2BtpaK2c99mSXXPVWLQL0q_%2BkJ-xtoLzJtjLqbxDzwTM5KKhNg@mail.gmail.com> References: <20171019173224.GA31648@troutmask.apl.washington.edu> <CA%2BtpaK2c99mSXXPVWLQL0q_%2BkJ-xtoLzJtjLqbxDzwTM5KKhNg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> 2) Suppose I have to classes of users on a system: normal users and > guest users. For normal users (including those that are members > of the wheel group), I would like those individuals to be able > to use ssh to connect to the host system. For guest users, I > want to isolate those users in a jailed environment. Thus, I'll > have sshd running in both the host and jail. How do I setup > such a scheme? > *sshd in the jail needs to run on a different port if you're using the same *ip, otherwise if you use an independent networking stack you would *configure as normal. *User X on host != User X on jail To expand on what was previously said; Normally, when you set up a jail, you set it up like a mini virtual server (with a few caveats...). So it should have its own IP address and it will have its own instance of sshd and its own set of users. For completeness; you would create a virtual IP (or one for each jail, in the case of multiple jails) and assign the virtual IP to the jail. It will appear as a separate server on the network. You can't run pf from a jail, that has to be on the main host. You also can't run NFS from a jail (something I spent many hours some time ago). You do need to make sure that daemons on the main host don't try to listen on all ports. I used "Absolute FreeBSD" by Michael Lucas as a guide for this. (Full disclosure, I know him personally). Mark Moellering On Thu, Oct 19, 2017 at 1:46 PM, Adam Vande More <amvandemore@gmail.com> wrote: > On Thu, Oct 19, 2017 at 12:32 PM, Steve Kargl > <sgk@troutmask.apl.washington. > edu> wrote: > > > > > 1) If an application (e.g., sshd) needs to reach the internet from a > > jail, is it required to have the host system running pf (or other > > packet filtering software)? > > > > No. See VNET/VIMAGE > > > > 2) Suppose I have to classes of users on a system: normal users and > > guest users. For normal users (including those that are members > > of the wheel group), I would like those individuals to be able > > to use ssh to connect to the host system. For guest users, I > > want to isolate those users in a jailed environment. Thus, I'll > > have sshd running in both the host and jail. How do I setup > > such a scheme? > > > > sshd in the jail needs to run on a different port if you're using the same > ip, otherwise if you use an independent networking stack you would > configure as normal. > > User X on host != User X on jail > > -- > Adam > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAA0uU3VAtF3%2BpKG973ntQDpc8K6ZE==kmk-WZNNP3LY5v=f5ow>