FreeBSD jails access

Depending on what service you want people to connect to in the jail, you can either use firewall rules to forward incoming public traffic on public ports to the appropriate port on the jail's private IP, or you can set up a proxy that will do the job for you -- and incidentally add some protection to your jail.

I do this regularly for jails that run web servers. The jails are on private IP addresses, so they don't have access to the web. The only way they can be reached is using an HTTP reverse proxy that runs on the jailserver. You can use Apache or nginx as a reverse proxy, but I prefer "pound" for its simplicity. You can find it in the ports tree at ports/www/pound/.

Other services can use inbound proxies as well. nginx can be used as an IMAP proxy. This is handy if you want to be able to upgrade IMAP without taking it down. Just proxy it to a second jail, upgrade the first jail, then cut over service to the upgraded jail while so you can upgrade the standby. Since running a jail takes pretty much no extra resources than running something natively on the server, you get all the benefits of virtualization without the performance hit.

If you need people to connect to your box via SFTP, then you either need to use a non-standard port (perhaps with a firewall rule and/or NAT to forward the traffic), or you can set up the SFTP accounts so that they will chroot into the jail directories where they're supposed to be. This doesn't run the SFTP server in the jail, but the result is the same.

If you need to provide shell access to the jail via SSH, then I suspect you have only two options. First would be, as with SFTP, to use a non-standard port and a firewall rule. The second, more complex option, would be to use a shell account on your jail server that has magic variables in the account's .ssh/authorized_keys file. Have a look at man sshd under the "AUTHORIZED_KEYS FILE FORMAT" section.

In brief, you probably want to set up something like command="command" for the keys that will connect to you. The down side is that for anyone who will connect, you will need to get their public key ahead of time. And your clients will obviously need to have keys set up. But the up side is that you can create shell accounts on your jail host that either jexec into the jail, or run another ssh that gets there.