From owner-freebsd-questions@FreeBSD.ORG Tue Sep 13 13:55:50 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1EF3316A41F for ; Tue, 13 Sep 2005 13:55:50 +0000 (GMT) (envelope-from malachid@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0FAB43D48 for ; Tue, 13 Sep 2005 13:55:47 +0000 (GMT) (envelope-from malachid@gmail.com) Received: by wproxy.gmail.com with SMTP id 36so2427328wra for ; Tue, 13 Sep 2005 06:55:44 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:references; b=Swcj6QOKfGNPXn1+W/3MZ0bFDYkTis1ebKoHttsVeHcj0Rdy0eKizN+AIahmLNVVRcOJLQ+RpRwT7Ow9rTgoSC9pHPs3svM+jeo6RbQZARfp4ju6wlHvSzk6mNEaP967onxXyVF7baktzMNYjoFEre5IoAJ9s5qzYDYrO5ZIsAQ= Received: by 10.54.39.8 with SMTP id m8mr490328wrm; Tue, 13 Sep 2005 06:55:44 -0700 (PDT) Received: by 10.54.79.1 with HTTP; Tue, 13 Sep 2005 06:55:43 -0700 (PDT) Message-ID: Date: Tue, 13 Sep 2005 06:55:44 -0700 From: =?ISO-8859-1?Q?Malachi_de_=C6lfweald?= To: Elliot Crosby-McCullough In-Reply-To: <4326D764.1040402@xianshi.org> Mime-Version: 1.0 References: <4326D764.1040402@xianshi.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: Requesting advice on Jail technique. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: malachid@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Sep 2005 13:55:50 -0000 I have been getting ready to do one-jail per domain myself. The key though= =20 is that if you want to support any port (and specifically things like ssh)= =20 they have to have a public IP address (or 1:1 NAT)... ie: if the ssh server= =20 is running under each jail, you need to know my IP address which one to log= =20 into it. You could probably get away with not doing that if they had to ssh into 1= =20 public IP address; and have a login script that auto-ssh's to a different i= p=20 on the local network from there ... but that will take a lot more work. For security, I would say you want multiple jails -- since any one logging= =20 in can screw the rest -- but that is going to be dependant on how many IPs= =20 you want to purchase. Malachi On 9/13/05, Elliot Crosby-McCullough wrote: >=20 > Dear all, >=20 > I will shortly be creating a public service on a private box that will > include shell access to untrusted users and would like your opinion on > the best way to go about this. >=20 > Obviously jails are a good start, but my main concern is whether to go > for one large jail for all the restricted users or one small jail per=20 > user. >=20 > I do not have a wealth of real IPs at my disposal but accountability > and security is paramount, therefore I would like to use local IPs > through NAT (within the one box) whilst retaining the translation logs. > I would like to use one local IP per user in order to keep track of > activity. I can afford a few real IPs for the purpose. >=20 > The accounts themselves will be supremely limited. No root access, > just basics such as ssh, perhaps telnet, mutt etc. I do not want the > users to have the ability to run any scripts, so perl etc is out, but I > suppose the NAT firewall will be a fallback if any compiled programs are > uploaded. >=20 > Each user account is likely to have email/gpg etc but I'm happy to > control that from the host system with virtual users and simply deliver > into the jail. It is not necessary for the jails to run any services, > except the ability to SSH in. >=20 > As you can see there are factors pulling in both directions, what would > you recommend as the best direction to go? >=20 > Sincerely, > Elliot Crosby-McCullough > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >