From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id SM5eDbh8uV9sIAAA0tVLHw (envelope-from ) for ; Sat, 21 Nov 2020 20:46:48 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id WHAkCbh8uV/6ewAAB5/wlQ (envelope-from ) for ; Sat, 21 Nov 2020 20:46:48 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B767B9403A9 for ; Sat, 21 Nov 2020 20:46:47 +0000 (UTC) Received: from localhost ([::1]:59040 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kgZmQ-0003zv-P4 for larch@yhetil.org; Sat, 21 Nov 2020 15:46:46 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:42182) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kgZN1-0005fY-Ty for help-guix@gnu.org; Sat, 21 Nov 2020 15:20:31 -0500 Received: from sender4-op-o11.zoho.com ([136.143.188.11]:17181) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kgZMx-0008S3-VW for help-guix@gnu.org; Sat, 21 Nov 2020 15:20:31 -0500 ARC-Seal: i=1; a=rsa-sha256; t=1605990022; cv=none; d=zohomail.com; s=zohoarc; b=hAjiQSmRysC0kLTfXvr8uoI44iuQt9ziitgUK2OGDMoZjOttsNkoCra5Md+S39HrVF/sPcGLB6ETeOFddWFvvx2BoMxfX+rMWK3JnuOcjFtlkTHQjn4c3K1TTUbjgDRBro8zw/FiIUinAiG19MU10UTnJIfZg4Ni+rNjKo9tPgM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1605990022; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=zB+fJNMj0gy9bgTaGMFYiAN2pJUgUnA9US66r0D3dvk=; b=PW8Jk4CN4UPhFIYGLjA1ujYg8WT0SnPBdAPLxdZzVZYJavzid1gYQzr8my4gq0xhRaNYAoGSKTnnFgDiD9GDsAvV0K3fGe5f62uQPZCCls5zbqxKCCdS86/gjCQ1Nu1jbYlFV4vJL8X6dHCU8YATd5Dg/OpqdmuCcVmOUXhDJ3U= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=rdklein.fr; spf=pass smtp.mailfrom=edou@rdklein.fr; dmarc=pass header.from= header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1605990022; s=zoho; d=rdklein.fr; i=edou@rdklein.fr; h=References:From:To:Subject:In-reply-to:Message-ID:Date:MIME-Version:Content-Type:Content-Transfer-Encoding; bh=zB+fJNMj0gy9bgTaGMFYiAN2pJUgUnA9US66r0D3dvk=; b=bPefIlA6uh1V6qAmhcZBNqQbEIbYvvL6fa3GJYnIlPv+vNGNfgW5xWHf/xYYkooV fBrsNwA5YdDSIceOsRfcd4mPUrn+sm6lksAQ8hdo9nF2Xn/5r86X+xcr9enBF4WqDOc 6z3tmWRcEy4Txl234bu0B9gEUglmh7V0jHiTsrZA= Received: from Rasoir (lfbn-idf3-1-205-14.w90-22.abo.wanadoo.fr [90.22.204.14]) by mx.zohomail.com with SMTPS id 1605990021052597.5751194146852; Sat, 21 Nov 2020 12:20:21 -0800 (PST) References: <28690cfe.8dc4.175e13a4596.Coremail.all_but_last@163.com> <871rgnltiv.fsf@cbaines.net> <86r1omkbgk.fsf@gmail.com> User-agent: mu4e 1.4.4; emacs 27.1 From: Edouard Klein To: help-guix@gnu.org Subject: Re: Port forwarding for Guix containers In-reply-to: <86r1omkbgk.fsf@gmail.com> Message-ID: <871rgmsbr2.fsf@rdklein.fr> Date: Sat, 21 Nov 2020 21:20:17 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External Received-SPF: pass client-ip=136.143.188.11; envelope-from=edou@rdklein.fr; helo=sender4-op-o11.zoho.com X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Sat, 21 Nov 2020 15:46:38 -0500 X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none (invalid DKIM record) header.d=rdklein.fr header.s=zoho header.b=bPefIlA6; arc=pass (zohomail.com:s=zohoarc:i=1); dmarc=none; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: -2.01 X-TUID: Gj6FkFLMERFT zimoun writes: > Hi, > > On Fri, 20 Nov 2020 at 19:26, Christopher Baines wrote: >> Zhu Zihao writes: >> >>> I found guix container "created by `guix environment --container` or >>> `guix system container`" is very useful to isolate some service. But >>> it only supports fully isolated network namespace or just share with >>> host, it's not so safe IMO. >> >> I'll assume that a fully isolated network namespace is safer in whatever >> way you're referring to than a shared network namespace. However, for a >> shared network namespace, what threats is that not safe in respect to? >> >> In the shared network namespace scenario, you are free to use a >> firewall, which could help protect against threats coming from other >> machines, for example by creating a list of IP addresses which are >> allowed to connect, and dropping any other traffic. > > I do not know about the initial motivation and I do not know either if > it makes sense in the context of =E2=80=9Cguix environment=E2=80=9D. One= point is that > Docker [1] provides a way to specify the firewall rules. Well, somehow, > something similar as =E2=80=99--share=E2=80=99 but for network. > > > 1: > My .02=E2=82=AC: I am in the camp of letting the container do the job with an operating system declaration, and keeping guix simple. That way, one can choose e.g. nginx to do the proxying, or an actual firewall, etc. The right tool for the right job. Sure it's not as easy as docker's -p option, but it's more secure and cleaner. > All the best, > simon