Date: Fri, 10 Feb 2006 09:27:52 +0100 From: Uwe Doering <gemini@geminix.org> To: freebsd-stable@FreeBSD.ORG Subject: Re: OpenVPN within a Jail under 6.x ... Message-ID: <43EC4E88.2070009@geminix.org> In-Reply-To: <200602091603.k19G3iKX019265@lurza.secnetix.de> References: <200602091603.k19G3iKX019265@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Oliver Fromme wrote:
> Uwe Doering <gemini@geminix.org> wrote:
> [...]
> > Now, since routes are a global resource in FreeBSD, is there a way to
> > prevent users from other jails on that machine from accessing that VPN,
> > too? If it weren't possible to restrict access to a VPN to the jail it
> > is associated with the VPN would no longer be private I'd think.
>
> Every jail has its own IP address. Connections originating
> from a jail are forced to use the jail's IP address as their
> source address. Therefore you can use a packet filter (IPFW
> or PF) to control where those packets are allowed to go.
> [...]
Thanks for pointing that out. I must admit that I hadn't thought this
through very thoroughly. Now that you mention the fixed nature of a
jail's IP address it is kind of obvious that you can filter on the
source address.
However, I believe there is still a snag. People tend to pick the same
IP networks from the range of official private IP addresses for their
internal LANs. If you wanted to set up VPN tunnels to these LANs for a
larger number of jails belonging to individual "owners" there is some
likelihood that the routes to these LANs would overlap. That is, since
you cannot _route_ based on the source address of IP packets, at some
point you would have a clash of interests between two or more owners of
said jails. As the administrator of the machine that carries these
jails you would ultimately have to take a decision on who can have a VPN
tunnel and who not.
Provided my analysis is correct this would mean that the approach of
using just a packet filter for access control doesn't scale very well.
Uwe
--
Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers
gemini@geminix.org | http://www.escapebox.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43EC4E88.2070009>