Re: VM system for firewall use

[Ng Pheng Siong <ngps () netmemetic com>]

On Tue, Oct 12, 2004 at 11:10:25AM -0400, Christopher Hicks wrote:
> Scenario: a compartment gets compromised.  If that compartment is in a 
> JAIL/MAC environment then what that compromise can accomplish is 
> effectively minimized.  In the VM environment the compromise would 
> compromise that entire VM and that VM could communicate with any other VM 
> in any way it pleased.

Either way it is up to the host's firewall rules. 

I run FreeBSD jails. Some of my jails run on RFC 1918 addresses on lo0.
Packet forwarding by the host allows these jails to serve HTTP to the
world. The jail cannot initiate traffic outwards. 

I've built minimal jails with just a few stock executables each. (Stock
meaning these are executables built from open source software packages in
their standard fashion.) One example is Squeak Smalltalk.  /etc/passwd is
still needed because I do something like 'su - www -c "squeak"' to start
the server automatically. I can easily write an su clone that doesn't
consult /etc/passwd.

I've also run the vm Qemu in a jail. Performance sucked on my lowly test
machine, but the jail+vm combo approach seems feasible.

(I talk about FreeBSD jails running Common Lisp and Smalltalk servers now
and then on my blog.)

Cheers.

-- 
Ng Pheng Siong <ngps () netmemetic com> 
http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards