From owner-freebsd-stable@FreeBSD.ORG Fri Feb 10 08:27:55 2006 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25EFA16A420 for ; Fri, 10 Feb 2006 08:27:55 +0000 (GMT) (envelope-from gemini@geminix.org) Received: from gen129.n001.c02.escapebox.net (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id B52AF43D48 for ; Fri, 10 Feb 2006 08:27:54 +0000 (GMT) (envelope-from gemini@geminix.org) Message-ID: <43EC4E88.2070009@geminix.org> Date: Fri, 10 Feb 2006 09:27:52 +0100 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20060129 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-stable@FreeBSD.ORG References: <200602091603.k19G3iKX019265@lurza.secnetix.de> In-Reply-To: <200602091603.k19G3iKX019265@lurza.secnetix.de> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.60 (FreeBSD)) (envelope-from ) id 1F7TdB-000KPU-1s; Fri, 10 Feb 2006 09:27:53 +0100 Cc: Subject: Re: OpenVPN within a Jail under 6.x ... X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Feb 2006 08:27:55 -0000 Oliver Fromme wrote: > Uwe Doering wrote: > [...] > > Now, since routes are a global resource in FreeBSD, is there a way to > > prevent users from other jails on that machine from accessing that VPN, > > too? If it weren't possible to restrict access to a VPN to the jail it > > is associated with the VPN would no longer be private I'd think. > > Every jail has its own IP address. Connections originating > from a jail are forced to use the jail's IP address as their > source address. Therefore you can use a packet filter (IPFW > or PF) to control where those packets are allowed to go. > [...] Thanks for pointing that out. I must admit that I hadn't thought this through very thoroughly. Now that you mention the fixed nature of a jail's IP address it is kind of obvious that you can filter on the source address. However, I believe there is still a snag. People tend to pick the same IP networks from the range of official private IP addresses for their internal LANs. If you wanted to set up VPN tunnels to these LANs for a larger number of jails belonging to individual "owners" there is some likelihood that the routes to these LANs would overlap. That is, since you cannot _route_ based on the source address of IP packets, at some point you would have a clash of interests between two or more owners of said jails. As the administrator of the machine that carries these jails you would ultimately have to take a decision on who can have a VPN tunnel and who not. Provided my analysis is correct this would mean that the approach of using just a packet filter for access control doesn't scale very well. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net