[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Port forwarding for Guix containers
|
From: |
Christopher Baines |
|
Subject: |
Re: Port forwarding for Guix containers |
|
Date: |
Fri, 20 Nov 2020 19:26:00 +0000 |
|
User-agent: |
mu4e 1.4.13; emacs 27.1 |
Zhu Zihao <all_but_last@163.com> writes:
> I found guix container "created by `guix environment --container` or
> `guix system container`" is very useful to isolate some service. But
> it only supports fully isolated network namespace or just share with
> host, it's not so safe IMO.
I'll assume that a fully isolated network namespace is safer in whatever
way you're referring to than a shared network namespace. However, for a
shared network namespace, what threats is that not safe in respect to?
In the shared network namespace scenario, you are free to use a
firewall, which could help protect against threats coming from other
machines, for example by creating a list of IP addresses which are
allowed to connect, and dropping any other traffic.
If it's not on another machine, but on the same machine, there's
probably more to worry about than the network if you're assuming another
process is malicious, it could potentially escape from the isolation put
in place by Linux, or use excessive resources to attempt to disrupt
other processes.
Chris
signature.asc
Description: PGP signature