[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Port forwarding for Guix containers
|
From: |
zimoun |
|
Subject: |
Re: Port forwarding for Guix containers |
|
Date: |
Sat, 21 Nov 2020 15:53:47 +0100 |
Hi,
On Fri, 20 Nov 2020 at 19:26, Christopher Baines <mail@cbaines.net> wrote:
> Zhu Zihao <all_but_last@163.com> writes:
>
>> I found guix container "created by `guix environment --container` or
>> `guix system container`" is very useful to isolate some service. But
>> it only supports fully isolated network namespace or just share with
>> host, it's not so safe IMO.
>
> I'll assume that a fully isolated network namespace is safer in whatever
> way you're referring to than a shared network namespace. However, for a
> shared network namespace, what threats is that not safe in respect to?
>
> In the shared network namespace scenario, you are free to use a
> firewall, which could help protect against threats coming from other
> machines, for example by creating a list of IP addresses which are
> allowed to connect, and dropping any other traffic.
I do not know about the initial motivation and I do not know either if
it makes sense in the context of “guix environment”. One point is that
Docker [1] provides a way to specify the firewall rules. Well, somehow,
something similar as ’--share’ but for network.
1: <https://docs.docker.com/config/containers/container-networking/>
All the best,
simon