Two jail questions
Steve Kargl
sgk at troutmask.apl.washington.edu
Thu Oct 19 18:00:39 UTC 2017
On Thu, Oct 19, 2017 at 12:46:14PM -0500, Adam Vande More wrote:
> On Thu, Oct 19, 2017 at 12:32 PM, Steve Kargl <sgk at troutmask.apl.washington.
> edu> wrote:
>
> >
> > 1) If an application (e.g., sshd) needs to reach the internet from a
> > jail, is it required to have the host system running pf (or other
> > packet filtering software)?
> >
>
> No. See VNET/VIMAGE
Thanks for the pointer. I haven't looked at vnet/vimage yet.
All the examples I found via google suggested that packet
filtering was necessary. The host system, on which I'm setting
up the jail, already sits behind 2 firewalls. Adding a third
seemed to be overkill (unless required for the jail!).
> > 2) Suppose I have to classes of users on a system: normal users and
> > guest users. For normal users (including those that are members
> > of the wheel group), I would like those individuals to be able
> > to use ssh to connect to the host system. For guest users, I
> > want to isolate those users in a jailed environment. Thus, I'll
> > have sshd running in both the host and jail. How do I setup
> > such a scheme?
> >
>
> sshd in the jail needs to run on a different port if you're using the same
> ip, otherwise if you use an independent networking stack you would
> configure as normal.
So, then this comes down to
ssh normal at a.b.c.d <-- host system's sshd listening on default port
ssh -p 1111 guest at a.b.c.d <-- jailed sshd listening on port 1111
--
Steve
More information about the freebsd-questions
mailing list