From owner-freebsd-stable@FreeBSD.ORG Fri Feb 10 10:37:33 2006 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BBCC16A42A for ; Fri, 10 Feb 2006 10:37:33 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9839243D45 for ; Fri, 10 Feb 2006 10:37:32 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (upcryt@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k1AAbQWL057207 for ; Fri, 10 Feb 2006 11:37:31 +0100 (CET) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k1AAbPw9057206; Fri, 10 Feb 2006 11:37:25 +0100 (CET) (envelope-from olli) Date: Fri, 10 Feb 2006 11:37:25 +0100 (CET) Message-Id: <200602101037.k1AAbPw9057206@lurza.secnetix.de> From: Oliver Fromme To: freebsd-stable@FreeBSD.ORG In-Reply-To: <43EC4E88.2070009@geminix.org> X-Newsgroups: list.freebsd-stable User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Fri, 10 Feb 2006 11:37:31 +0100 (CET) Cc: Subject: Re: OpenVPN within a Jail under 6.x ... X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-stable@FreeBSD.ORG List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Feb 2006 10:37:33 -0000 Uwe Doering wrote: > Oliver Fromme wrote: > > Uwe Doering wrote: > > [...] > > > Now, since routes are a global resource in FreeBSD, is there a way to > > > prevent users from other jails on that machine from accessing that VPN, > > > too? If it weren't possible to restrict access to a VPN to the jail it > > > is associated with the VPN would no longer be private I'd think. > > > > Every jail has its own IP address. Connections originating > > from a jail are forced to use the jail's IP address as their > > source address. Therefore you can use a packet filter (IPFW > > or PF) to control where those packets are allowed to go. > > [...] > > Thanks for pointing that out. I must admit that I hadn't thought this > through very thoroughly. Now that you mention the fixed nature of a > jail's IP address it is kind of obvious that you can filter on the > source address. > > However, I believe there is still a snag. People tend to pick the same > IP networks from the range of official private IP addresses for their > internal LANs. If you wanted to set up VPN tunnels to these LANs for a > larger number of jails belonging to individual "owners" there is some > likelihood that the routes to these LANs would overlap. Yes, but that's a more generic problem. When you connect various LANs (no matter if by VPN tunnels or other means), then you should make sure that their addresses don't overlap. It's a question of careful planning and design. If you manage such a set of LANs, make sure that you assign different address ranges to each of them. > That is, since > you cannot _route_ based on the source address of IP packets, Well, you can. At least to some extent, routing by source IP can be accomplished using IPFW's FWD feature. However, that doesn't help much when you need to connect networks with overlapping address ranges. IP addresses are required to uniquely identify a machine. If you have overlapping LANs, it's not possible anymore to uniquely identify a machine by IP number, no matter what you do. That problem exists independently of VPNs and jails. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "I made up the term 'object-oriented', and I can tell you I didn't have C++ in mind." -- Alan Kay, OOPSLA '97