Date: Thu, 9 Feb 2006 17:03:44 +0100 (CET) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-stable@FreeBSD.ORG Subject: Re: OpenVPN within a Jail under 6.x ... Message-ID: <200602091603.k19G3iKX019265@lurza.secnetix.de> In-Reply-To: <43EB294A.6090609@geminix.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Uwe Doering <gemini@geminix.org> wrote: > Talking about security, while I haven't worked with VPNs so far I > believe that there needs to be a route installed in order to forward > packets to the remote end of the VPN connection. In general, yes, you need a route. However, it depends on what you're using the VPN connection for. If you only need it to access a single host or network on the other side, then the interface route might be sufficient (it's created automaticaly by ifconfig(8)). Conversely, if you want to use the VPN connection as your uplink, you must set the default route to the VPN link. > Now, since routes are a global resource in FreeBSD, is there a way to > prevent users from other jails on that machine from accessing that VPN, > too? If it weren't possible to restrict access to a VPN to the jail it > is associated with the VPN would no longer be private I'd think. Every jail has its own IP address. Connections originating from a jail are forced to use the jail's IP address as their source address. Therefore you can use a packet filter (IPFW or PF) to control where those packets are allowed to go. For example, assume you have a jail with IP 10.20.30.40 that is allowed to use a VPN on interface tun5. These IPFW rules will implement that policy: allow ip from 10.20.30.40 to any out xmit tun5 deny ip from any to any out xmit tun5 Of course, that's just a very simple example. You can use other rules to further restrict the packets, and you can also control incoming packets in a similar way. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "When your hammer is C++, everything begins to look like a thumb." -- Steve Haflich, in comp.lang.c++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200602091603.k19G3iKX019265>