From owner-freebsd-questions@freebsd.org Thu Oct 19 18:00:39 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 760C3E42E43 for ; Thu, 19 Oct 2017 18:00:39 +0000 (UTC) (envelope-from sgk@troutmask.apl.washington.edu) Received: from troutmask.apl.washington.edu (troutmask.apl.washington.edu [128.95.76.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "troutmask", Issuer "troutmask" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 598F175388 for ; Thu, 19 Oct 2017 18:00:39 +0000 (UTC) (envelope-from sgk@troutmask.apl.washington.edu) Received: from troutmask.apl.washington.edu (localhost [127.0.0.1]) by troutmask.apl.washington.edu (8.15.2/8.15.2) with ESMTPS id v9JI0cf5032168 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 19 Oct 2017 11:00:38 -0700 (PDT) (envelope-from sgk@troutmask.apl.washington.edu) Received: (from sgk@localhost) by troutmask.apl.washington.edu (8.15.2/8.15.2/Submit) id v9JI0ceq032167; Thu, 19 Oct 2017 11:00:38 -0700 (PDT) (envelope-from sgk) Date: Thu, 19 Oct 2017 11:00:38 -0700 From: Steve Kargl To: Adam Vande More Cc: FreeBSD Questions Subject: Re: Two jail questions Message-ID: <20171019180038.GA32097@troutmask.apl.washington.edu> Reply-To: sgk@troutmask.apl.washington.edu References: <20171019173224.GA31648@troutmask.apl.washington.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.7.2 (2016-11-26) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Oct 2017 18:00:39 -0000 On Thu, Oct 19, 2017 at 12:46:14PM -0500, Adam Vande More wrote: > On Thu, Oct 19, 2017 at 12:32 PM, Steve Kargl edu> wrote: > > > > > 1) If an application (e.g., sshd) needs to reach the internet from a > > jail, is it required to have the host system running pf (or other > > packet filtering software)? > > > > No. See VNET/VIMAGE Thanks for the pointer. I haven't looked at vnet/vimage yet. All the examples I found via google suggested that packet filtering was necessary. The host system, on which I'm setting up the jail, already sits behind 2 firewalls. Adding a third seemed to be overkill (unless required for the jail!). > > 2) Suppose I have to classes of users on a system: normal users and > > guest users. For normal users (including those that are members > > of the wheel group), I would like those individuals to be able > > to use ssh to connect to the host system. For guest users, I > > want to isolate those users in a jailed environment. Thus, I'll > > have sshd running in both the host and jail. How do I setup > > such a scheme? > > > > sshd in the jail needs to run on a different port if you're using the same > ip, otherwise if you use an independent networking stack you would > configure as normal. So, then this comes down to ssh normal@a.b.c.d <-- host system's sshd listening on default port ssh -p 1111 guest@a.b.c.d <-- jailed sshd listening on port 1111 -- Steve