Two jail questions

[Steve Kargl]

1) If an application (e.g., sshd) needs to reach the internet from a
   jail, is it required to have the host system running pf (or other
   packet filtering software)?

2) Suppose I have to classes of users on a system: normal users and
   guest users.  For normal users (including those that are members
   of the wheel group), I would like those individuals to be able
   to use ssh to connect to the host system.  For guest users, I 
   want to isolate those users in a jailed environment.  Thus, I'll
   have sshd running in both the host and jail.  How do I setup 
   such a scheme?

-- 
Steve