Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 19 Oct 2017 11:00:38 -0700
From:      Steve Kargl <sgk@troutmask.apl.washington.edu>
To:        Adam Vande More <amvandemore@gmail.com>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: Two jail questions
Message-ID:  <20171019180038.GA32097@troutmask.apl.washington.edu>
In-Reply-To: <CA%2BtpaK2c99mSXXPVWLQL0q_%2BkJ-xtoLzJtjLqbxDzwTM5KKhNg@mail.gmail.com>
References:  <20171019173224.GA31648@troutmask.apl.washington.edu> <CA%2BtpaK2c99mSXXPVWLQL0q_%2BkJ-xtoLzJtjLqbxDzwTM5KKhNg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Oct 19, 2017 at 12:46:14PM -0500, Adam Vande More wrote:
> On Thu, Oct 19, 2017 at 12:32 PM, Steve Kargl <sgk@troutmask.apl.washington.
> edu> wrote:
> 
> >
> > 1) If an application (e.g., sshd) needs to reach the internet from a
> >    jail, is it required to have the host system running pf (or other
> >    packet filtering software)?
> >
> 
> No.  See VNET/VIMAGE

Thanks for the pointer.  I haven't looked at vnet/vimage yet.
All the examples I found via google suggested that packet
filtering was necessary.  The host system, on which I'm setting
up the jail, already sits behind 2 firewalls.  Adding a third
seemed to be overkill (unless required for the jail!).

> > 2) Suppose I have to classes of users on a system: normal users and
> >    guest users.  For normal users (including those that are members
> >    of the wheel group), I would like those individuals to be able
> >    to use ssh to connect to the host system.  For guest users, I
> >    want to isolate those users in a jailed environment.  Thus, I'll
> >    have sshd running in both the host and jail.  How do I setup
> >    such a scheme?
> >
> 
> sshd in the jail needs to run on a different port if you're using the same
> ip, otherwise if you use an independent networking stack you would
> configure as normal.

So, then this comes down to 

ssh normal@a.b.c.d         <-- host system's sshd listening on default port
ssh -p 1111 guest@a.b.c.d  <-- jailed sshd listening on port 1111

-- 
Steve

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171019180038.GA32097>