Firewall Wizards mailing list archives
Re: VM system for firewall use
From: Ng Pheng Siong <ngps () netmemetic com>
Date: Wed, 13 Oct 2004 09:05:11 +0800
On Tue, Oct 12, 2004 at 11:10:25AM -0400, Christopher Hicks wrote:
Scenario: a compartment gets compromised. If that compartment is in a JAIL/MAC environment then what that compromise can accomplish is effectively minimized. In the VM environment the compromise would compromise that entire VM and that VM could communicate with any other VM in any way it pleased.
Either way it is up to the host's firewall rules. I run FreeBSD jails. Some of my jails run on RFC 1918 addresses on lo0. Packet forwarding by the host allows these jails to serve HTTP to the world. The jail cannot initiate traffic outwards. I've built minimal jails with just a few stock executables each. (Stock meaning these are executables built from open source software packages in their standard fashion.) One example is Squeak Smalltalk. /etc/passwd is still needed because I do something like 'su - www -c "squeak"' to start the server automatically. I can easily write an su clone that doesn't consult /etc/passwd. I've also run the vm Qemu in a jail. Performance sucked on my lowly test machine, but the jail+vm combo approach seems feasible. (I talk about FreeBSD jails running Common Lisp and Smalltalk servers now and then on my blog.) Cheers. -- Ng Pheng Siong <ngps () netmemetic com> http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: VM system for firewall use, (continued)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)
- Re: VM system for firewall use ArkanoiD (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)
- Message not available
- Message not available
- Re: VM system for firewall use ArkanoiD (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)
- Re: VM system for firewall use Christopher Hicks (Oct 12)
- Re: VM system for firewall use Christopher Hicks (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)
- Re: VM system for firewall use Marcus J. Ranum (Oct 12)
- Re: VM system for firewall use Bennett Todd (Oct 12)
- Re: VM system for firewall use Ng Pheng Siong (Oct 14)
- Re: VM system for firewall use Crispin Cowan (Oct 17)
- Re: VM system for firewall use Christian Kreibich (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)
- Re: VM system for firewall use Paul D. Robertson (Oct 12)