[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] Disabling outgoing connectiong from within guest
From: |
Paul Brook |
Subject: |
Re: [Qemu-devel] Disabling outgoing connectiong from within guest |
Date: |
Fri, 20 Jun 2008 14:13:25 +0100 |
User-agent: |
KMail/1.9.9 |
On Friday 20 June 2008, Johannes Schindelin wrote:
> Hi,
>
> On Thu, 19 Jun 2008, Paul Brook wrote:
> > On Wednesday 18 June 2008, Łukasz Taczuk wrote:
> > > I would like to create a sandboxed environment in which random users
> > > would be able to roam freely using ssh. However, I don't want to allow
> > > them to open outgoing connections just as if the box was offline (even
> > > if the guest is compromised). Basically I would like to have something
> > > like reversed user mode network stack: you can log in to the guest,
> > > but once you're in, you cannot connect to the host nor any other
> > > machine.
> >
> > Your host OS firewall/packet filter should already be able to do this.
> > IMHO there's little or no point reimplementing this functionality in
> > qemu.
>
> Except that Lukasz wrote about users in the sandboxed environment, not all
> users of the _host_ machine.
Right. That's why you want to do the firewalling/sandboxing on the host. If
you don't trust your host OS you're already screwed.
Paul