Two jail questions

Mark Moellering markmoellering at psyberation.com
Thu Oct 19 17:57:35 UTC 2017 

> 2) Suppose I have to classes of users on a system: normal users and
>    guest users.  For normal users (including those that are members
>    of the wheel group), I would like those individuals to be able
>    to use ssh to connect to the host system.  For guest users, I
>    want to isolate those users in a jailed environment.  Thus, I'll
>    have sshd running in both the host and jail.  How do I setup
>    such a scheme?
>

*sshd in the jail needs to run on a different port if you're using the same
*ip, otherwise if you use an independent networking stack you would
*configure as normal.

*User X on host != User X on jail

To expand on what was previously said;
Normally, when you set up a jail, you set it up like a mini virtual server
(with a few caveats...).  So it should have its own IP address and it will
have its own instance of sshd and its own set of users.
For completeness;  you would create a virtual IP (or one for each jail, in
the case of multiple jails) and assign the virtual IP to the jail.  It will
appear as a separate server on the network.
You can't run pf from a jail, that has to be on the main host.  You also
can't run NFS from a jail (something I spent many hours some time ago).
You do need to make sure  that daemons on the main host don't try to listen
on all ports.  I used "Absolute FreeBSD" by Michael Lucas as a guide for
this.  (Full disclosure, I know him personally).

Mark Moellering

On Thu, Oct 19, 2017 at 1:46 PM, Adam Vande More <amvandemore at gmail.com>
wrote:

> On Thu, Oct 19, 2017 at 12:32 PM, Steve Kargl
> <sgk at troutmask.apl.washington.
> edu> wrote:
>
> >
> > 1) If an application (e.g., sshd) needs to reach the internet from a
> >    jail, is it required to have the host system running pf (or other
> >    packet filtering software)?
> >
>
> No.  See VNET/VIMAGE
>
>
> > 2) Suppose I have to classes of users on a system: normal users and
> >    guest users.  For normal users (including those that are members
> >    of the wheel group), I would like those individuals to be able
> >    to use ssh to connect to the host system.  For guest users, I
> >    want to isolate those users in a jailed environment.  Thus, I'll
> >    have sshd running in both the host and jail.  How do I setup
> >    such a scheme?
> >
>
> sshd in the jail needs to run on a different port if you're using the same
> ip, otherwise if you use an independent networking stack you would
> configure as normal.
>
> User X on host != User X on jail
>
> --
> Adam
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-
> unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list