From owner-freebsd-questions@FreeBSD.ORG  Tue Sep 13 13:43:17 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7167716A41F
	for <freebsd-questions@freebsd.org>;
	Tue, 13 Sep 2005 13:43:17 +0000 (GMT)
	(envelope-from freebsd@xianshi.org)
Received: from mail.metronet.co.uk (mail.metronet.co.uk [213.162.97.75])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1D11043D45
	for <freebsd-questions@freebsd.org>;
	Tue, 13 Sep 2005 13:43:16 +0000 (GMT)
	(envelope-from freebsd@xianshi.org)
Received: from [192.168.1.2] (84-51-149-46.hannah446.adsl.metronet.co.uk
	[84.51.149.46])
	by smtp.metronet.co.uk (MetroNet Mail) with ESMTP id 67EE040D399
	for <freebsd-questions@freebsd.org>;
	Tue, 13 Sep 2005 14:43:05 +0100 (BST)
Message-ID: <4326D764.1040402@xianshi.org>
Date: Tue, 13 Sep 2005 14:43:00 +0100
From: Elliot Crosby-McCullough <freebsd@xianshi.org>
User-Agent: Debian Thunderbird 1.0.6 (X11/20050802)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Requesting advice on Jail technique.
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2005 13:43:17 -0000

Dear all,

	I will shortly be creating a public service on a private box that will 
include shell access to untrusted users and would like your opinion on 
the best way to go about this.

	Obviously jails are a good start, but my main concern is whether to go 
for one large jail for all the restricted users or one small jail per user.

	I do not have a wealth of real IPs at my disposal but accountability 
and security is paramount, therefore I would like to use local IPs 
through NAT (within the one box) whilst retaining the translation logs. 
  I would like to use one local IP per user in order to keep track of 
activity.  I can afford a few real IPs for the purpose.

	The accounts themselves will be supremely limited.  No root access, 
just basics such as ssh, perhaps telnet, mutt etc.  I do not want the 
users to have the ability to run any scripts, so perl etc is out, but I 
suppose the NAT firewall will be a fallback if any compiled programs are 
uploaded.

	Each user account is likely to have email/gpg etc but I'm happy to 
control that from the host system with virtual users and simply deliver 
into the jail.  It is not necessary for the jails to run any services, 
except the ability to SSH in.

	As you can see there are factors pulling in both directions, what would 
you recommend as the best direction to go?

Sincerely,
Elliot Crosby-McCullough