From owner-freebsd-stable@FreeBSD.ORG Thu Feb 9 16:03:54 2006 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B5DB616A423 for ; Thu, 9 Feb 2006 16:03:54 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8849243D4C for ; Thu, 9 Feb 2006 16:03:53 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (ixstoj@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k19G3iOH019266 for ; Thu, 9 Feb 2006 17:03:50 +0100 (CET) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k19G3iKX019265; Thu, 9 Feb 2006 17:03:44 +0100 (CET) (envelope-from olli) Date: Thu, 9 Feb 2006 17:03:44 +0100 (CET) Message-Id: <200602091603.k19G3iKX019265@lurza.secnetix.de> From: Oliver Fromme To: freebsd-stable@FreeBSD.ORG In-Reply-To: <43EB294A.6090609@geminix.org> X-Newsgroups: list.freebsd-stable User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Thu, 09 Feb 2006 17:03:50 +0100 (CET) Cc: Subject: Re: OpenVPN within a Jail under 6.x ... X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-stable@FreeBSD.ORG List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Feb 2006 16:03:54 -0000 Uwe Doering wrote: > Talking about security, while I haven't worked with VPNs so far I > believe that there needs to be a route installed in order to forward > packets to the remote end of the VPN connection. In general, yes, you need a route. However, it depends on what you're using the VPN connection for. If you only need it to access a single host or network on the other side, then the interface route might be sufficient (it's created automaticaly by ifconfig(8)). Conversely, if you want to use the VPN connection as your uplink, you must set the default route to the VPN link. > Now, since routes are a global resource in FreeBSD, is there a way to > prevent users from other jails on that machine from accessing that VPN, > too? If it weren't possible to restrict access to a VPN to the jail it > is associated with the VPN would no longer be private I'd think. Every jail has its own IP address. Connections originating from a jail are forced to use the jail's IP address as their source address. Therefore you can use a packet filter (IPFW or PF) to control where those packets are allowed to go. For example, assume you have a jail with IP 10.20.30.40 that is allowed to use a VPN on interface tun5. These IPFW rules will implement that policy: allow ip from 10.20.30.40 to any out xmit tun5 deny ip from any to any out xmit tun5 Of course, that's just a very simple example. You can use other rules to further restrict the packets, and you can also control incoming packets in a similar way. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "When your hammer is C++, everything begins to look like a thumb." -- Steve Haflich, in comp.lang.c++