From owner-freebsd-questions@freebsd.org Thu Oct 19 17:57:35 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 40A13E42C64 for ; Thu, 19 Oct 2017 17:57:35 +0000 (UTC) (envelope-from markmoellering@psyberation.com) Received: from mail-qt0-x22e.google.com (mail-qt0-x22e.google.com [IPv6:2607:f8b0:400d:c0d::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0148575125 for ; Thu, 19 Oct 2017 17:57:34 +0000 (UTC) (envelope-from markmoellering@psyberation.com) Received: by mail-qt0-x22e.google.com with SMTP id d9so8705922qtd.7 for ; Thu, 19 Oct 2017 10:57:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=psyberation-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=cFWdcihwODnLBgKqnZspCdA2069LGFe0oHOauyyM/YU=; b=uxdDa8SZzpf6ZV36abd/fSA70L/ra+tuBi6wLvDVKNOFEYOqoGOoIZUgy/FETaDPbd 9tx0nRyqzWY/iWD0xpkbHfwGTa03mP0qevNtGXtdMH1NhMnjZ5XoFSWcKej9yQtI7YiE pv4ijlmmAZxXUECxqQTlqFt2lfYQWcmSzWSwXz8fZ7ym4m1X7hym+IuxGO1FoQOD1pTR icUE/ah8prplwyGOjfGMbKLzvE4hTLYNxGLUYAoZZAnACfwSchcugSHRbRoLawzQQsLL 6zTYVnJMyM9nAshdbwLQP+Gf6aw1hF9kqRgMLbSIMTuoJNGce6PXrVb+qOlYcNK85/nY CaKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=cFWdcihwODnLBgKqnZspCdA2069LGFe0oHOauyyM/YU=; b=uhU74tsceNXDaFy4PLVJUiQaV26eX+K54Msetz8IwFZWcw2RqruAaIlKgEVdReuqoN SXt/V+Ynuguj0xB5BLVatKiNVzGZbUslgQk2KeqMDPDv8fqZvg0mbsElYBtEUCY61nqt FiA3ue5NqgfMC8wz26AgZf08wdQloGFd3Y8m4te8JKooLVYXpVZEKdSOTYp5HwNAXqLy REr4U/pzf7mzwgITFnTwmQN//ey4nofZqb+fMLzyvt9GcgCuTpzjnFTMNVs8s2aR6XbH rxqWL6FDSq0D3KlKBO6yhbdWm0+xgKni6P7VY+erSLoSSlPSW7u7jdTEhbgjaHt/2N7P kenw== X-Gm-Message-State: AMCzsaVxSrvQjuvE2j3tQOU33IxkXLDYum+6Htd1rh2PG7yVWYWTYijo +5J72HSKueoRq3KeYmdOwUkyyKWGOR2k00v1xuQ2fA0p X-Google-Smtp-Source: ABhQp+RZV8Tzk71hGbYJn/RYDSdGK1wDT0fkNCdRs5IOPnhBOn1EpTRVYarKD+LmrVw9r8W910j5awzMGl6dxBFhUxg= X-Received: by 10.200.6.9 with SMTP id d9mr3472959qth.230.1508435853644; Thu, 19 Oct 2017 10:57:33 -0700 (PDT) MIME-Version: 1.0 Received: by 10.200.52.110 with HTTP; Thu, 19 Oct 2017 10:57:33 -0700 (PDT) In-Reply-To: References: <20171019173224.GA31648@troutmask.apl.washington.edu> From: Mark Moellering Date: Thu, 19 Oct 2017 13:57:33 -0400 Message-ID: Subject: Re: Two jail questions To: FreeBSD Questions Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Oct 2017 17:57:35 -0000 > 2) Suppose I have to classes of users on a system: normal users and > guest users. For normal users (including those that are members > of the wheel group), I would like those individuals to be able > to use ssh to connect to the host system. For guest users, I > want to isolate those users in a jailed environment. Thus, I'll > have sshd running in both the host and jail. How do I setup > such a scheme? > *sshd in the jail needs to run on a different port if you're using the same *ip, otherwise if you use an independent networking stack you would *configure as normal. *User X on host != User X on jail To expand on what was previously said; Normally, when you set up a jail, you set it up like a mini virtual server (with a few caveats...). So it should have its own IP address and it will have its own instance of sshd and its own set of users. For completeness; you would create a virtual IP (or one for each jail, in the case of multiple jails) and assign the virtual IP to the jail. It will appear as a separate server on the network. You can't run pf from a jail, that has to be on the main host. You also can't run NFS from a jail (something I spent many hours some time ago). You do need to make sure that daemons on the main host don't try to listen on all ports. I used "Absolute FreeBSD" by Michael Lucas as a guide for this. (Full disclosure, I know him personally). Mark Moellering On Thu, Oct 19, 2017 at 1:46 PM, Adam Vande More wrote: > On Thu, Oct 19, 2017 at 12:32 PM, Steve Kargl > edu> wrote: > > > > > 1) If an application (e.g., sshd) needs to reach the internet from a > > jail, is it required to have the host system running pf (or other > > packet filtering software)? > > > > No. See VNET/VIMAGE > > > > 2) Suppose I have to classes of users on a system: normal users and > > guest users. For normal users (including those that are members > > of the wheel group), I would like those individuals to be able > > to use ssh to connect to the host system. For guest users, I > > want to isolate those users in a jailed environment. Thus, I'll > > have sshd running in both the host and jail. How do I setup > > such a scheme? > > > > sshd in the jail needs to run on a different port if you're using the same > ip, otherwise if you use an independent networking stack you would > configure as normal. > > User X on host != User X on jail > > -- > Adam > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" >