From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id CB0uIIoYuF8UcAAA0tVLHw (envelope-from ) for ; Fri, 20 Nov 2020 19:27:06 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id INQSHIoYuF85WQAAB5/wlQ (envelope-from ) for ; Fri, 20 Nov 2020 19:27:06 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C08C2940341 for ; Fri, 20 Nov 2020 19:27:05 +0000 (UTC) Received: from localhost ([::1]:50702 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kgC3j-0002wu-7j for larch@yhetil.org; Fri, 20 Nov 2020 14:27:03 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:48130) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kgC2t-0002vq-T0 for help-guix@gnu.org; Fri, 20 Nov 2020 14:26:13 -0500 Received: from mira.cbaines.net ([2a01:7e00:e000:2f8:fd4d:b5c7:13fb:3d27]:60581) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kgC2q-0000lY-Uy for help-guix@gnu.org; Fri, 20 Nov 2020 14:26:11 -0500 Received: from localhost (188.30.135.14.threembb.co.uk [188.30.135.14]) by mira.cbaines.net (Postfix) with ESMTPSA id 56AA627BBF5; Fri, 20 Nov 2020 19:26:06 +0000 (GMT) Received: from capella (localhost [127.0.0.1]) by localhost (OpenSMTPD) with ESMTP id 9ec20be9; Fri, 20 Nov 2020 19:26:03 +0000 (UTC) References: <28690cfe.8dc4.175e13a4596.Coremail.all_but_last@163.com> User-agent: mu4e 1.4.13; emacs 27.1 From: Christopher Baines To: Zhu Zihao Subject: Re: Port forwarding for Guix containers In-reply-to: <28690cfe.8dc4.175e13a4596.Coremail.all_but_last@163.com> Date: Fri, 20 Nov 2020 19:26:00 +0000 Message-ID: <871rgnltiv.fsf@cbaines.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a01:7e00:e000:2f8:fd4d:b5c7:13fb:3d27; envelope-from=mail@cbaines.net; helo=mira.cbaines.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: -3.11 X-TUID: wNR9cifAH9h5 --=-=-= Content-Type: text/plain Zhu Zihao writes: > I found guix container "created by `guix environment --container` or > `guix system container`" is very useful to isolate some service. But > it only supports fully isolated network namespace or just share with > host, it's not so safe IMO. I'll assume that a fully isolated network namespace is safer in whatever way you're referring to than a shared network namespace. However, for a shared network namespace, what threats is that not safe in respect to? In the shared network namespace scenario, you are free to use a firewall, which could help protect against threats coming from other machines, for example by creating a list of IP addresses which are allowed to connect, and dropping any other traffic. If it's not on another machine, but on the same machine, there's probably more to worry about than the network if you're assuming another process is malicious, it could potentially escape from the isolation put in place by Linux, or use excessive resources to attempt to disrupt other processes. Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAl+4GEhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh aW5lcy5uZXQACgkQXiijOwuE9Xdr4Q/8CmMAv2DW4yJb7FGDizCXUHxqTHS3PHFu qTJ+85xiOTRiAyo0bK9S8xTDKRR9b4V2X6SZ/uK9LBp3BpojtAogh3xMWz+O0LtM LbwITsCOhKwbLb1s6/wLOAMyUHpiJulqMASfin1VBod9OjsOHxOS4BiDUI4rqLQc zZJzhPRxODskXOpjW2gAWiYWRezZf3RyMuFmF1PMDWVkZ8rArr5qkOUqFg1Qvdr0 zN2pU94FrPSf0RLyxFHZ+797SE9WjV72bLX++zD4uOy7t0m24mLDC8a1gKl1QNEA 72cM1RB4iI7c/8AK+tc9WoaQqZZvas2drQSd7l2JOYV3BfhB8MqU8Ig/Epuvur4/ 1uTCP8Nu3hog4bkv+ZVOktS5rXZfxHiOd6tKZAQVYjRZPZoZ8V8NYVMN0iTJl5lz 4qW+glQNcm6PFI/i7lF8KAAhLBBjP5I8ITgQcwhkT08QD8rbBRbNcoHPNKCDOwrm qVDQk77a39h1QcIeEq2A4I2u88grGoD5CmZC5zZUI24QcW+mVuOFKNipj8gl0NgC YYYygO8pWrVkNTrKtdu78z10yZygk67IRbFuiyIx+TW1w9eEadLCyHUmgG3CI/0t ZUAYtdxbYei35HGiUKav9EF7vglvpY+uGgf23t7ZkVNMRVovKMUH2ngCZJgrlVs2 lBoKX2EiEVU= =V8DG -----END PGP SIGNATURE----- --=-=-=--