Re: [fw-wiz] VM system for firewall use

From: Ng Pheng Siong (
Date: 10/13/04

  • Next message: Christopher Hicks: "[fw-wiz] PKI is the pits?"
    To: Christopher Hicks <>
    Date: Wed, 13 Oct 2004 09:05:11 +0800

    On Tue, Oct 12, 2004 at 11:10:25AM -0400, Christopher Hicks wrote:
    > Scenario: a compartment gets compromised. If that compartment is in a
    > JAIL/MAC environment then what that compromise can accomplish is
    > effectively minimized. In the VM environment the compromise would
    > compromise that entire VM and that VM could communicate with any other VM
    > in any way it pleased.

    Either way it is up to the host's firewall rules.

    I run FreeBSD jails. Some of my jails run on RFC 1918 addresses on lo0.
    Packet forwarding by the host allows these jails to serve HTTP to the
    world. The jail cannot initiate traffic outwards.

    I've built minimal jails with just a few stock executables each. (Stock
    meaning these are executables built from open source software packages in
    their standard fashion.) One example is Squeak Smalltalk. /etc/passwd is
    still needed because I do something like 'su - www -c "squeak"' to start
    the server automatically. I can easily write an su clone that doesn't
    consult /etc/passwd.

    I've also run the vm Qemu in a jail. Performance sucked on my lowly test
    machine, but the jail+vm combo approach seems feasible.

    (I talk about FreeBSD jails running Common Lisp and Smalltalk servers now
    and then on my blog.)


    Ng Pheng Siong <> -+- M2Crypto, ZServerSSL for Zope, Blog
    firewall-wizards mailing list

  • Next message: Christopher Hicks: "[fw-wiz] PKI is the pits?"