Sorry, I didnt really get that. Could you explain a bit what you did, for a
solaris noob? You just shut down the global NIC, and the local zone NIC still
works? Yes?
A question: I see that you use shared ip. Isn't that less safe than
exclusive-ip because several zones share the same NIC in
Ok, thank you for your clarification.
I think I prefer Crossbow because it is a modern approach.
Regarding threat model, I prefer to have as much separated traffic as possible,
therefore I prefer exclusive-ip instead of shared ip.
--
This message posted from opensolaris.org
In message 1481154627.91285535031577.javamail.tweb...@sf-app1, Orvar Korvar w
rites:
Ok, so I shut down e1000g0 which means my global zone can not access internet.
The local zone will have e1000g0:1 which I do not shut down, which means the
local zone can access internet. Correct?
Works for me.
petrben,
Yes that is my question too: is running in a local zone safer?. That is why I
created this thread.
I was thinking something like this: If someone hacks my WinXP, then he must
bypass VBox. Then he is inside the local zone. Then he must get root access to
the local zone. Then he must
On 26 Nov 2010, at 10:50 , Orvar Korvar wrote:
petrben,
Yes that is my question too: is running in a local zone safer?. That is why
I created this thread.
I was thinking something like this: If someone hacks my WinXP, then he must
bypass VBox. Then he is inside the local zone. Then he
On 26 November 2010 10:50, Orvar Korvar knatte_fnatte_tja...@yahoo.com wrote:
petrben,
Yes that is my question too: is running in a local zone safer?. That is why
I created this thread.
Yep and I found your question interesting and want to know more as well.
If you are the only administrator
If hacker exploits a bug in the VBox driver and corrupts kernel memory so he
gets into the global zone, then maybe it is safer to not use VBox? And only use
local zones for reaching the outside world? And shutdown the NIC to the global
zone?
--
This message posted from opensolaris.org
On 26 November 2010 13:25, Orvar Korvar knatte_fnatte_tja...@yahoo.com wrote:
If hacker exploits a bug in the VBox driver and corrupts kernel memory so he
gets into the global zone, then maybe it is safer to not use VBox?
If such bug exists then it'll be safer to not use VBox, however, I'm
not
:56 -0800
From: knatte_fnatte_tja...@yahoo.com
To: zones-discuss@opensolaris.org
Subject: Re: [zones-discuss] Possible to use zones for hardening? Security?
So you suspect there is no need to shut down the global NIC, if the zone uses
exclusive IP and it is on a separate subnet
I bet VBox can't run inside the local zone.
On 24 November 2010 20:04, Orvar Korvar knatte_fnatte_tja...@yahoo.com wrote:
Uhmmm... A thought just struck me.
Is it really possible to do what I was thinking? If I install WinXP
virtually, in VirtualBox, in a local zone - then I shut down the
On 11/25/10 11:08 PM, Petr Benes wrote:
I bet VBox can't run inside the local zone.
See the rest of this thread!
--
Ian.
___
zones-discuss mailing list
zones-discuss@opensolaris.org
On Thu, Nov 25, 2010 at 12:08 PM, Petr Benes petr...@gmail.com wrote:
I bet VBox can't run inside the local zone.
Well, you lost. See VirtualBox User Manual
2.4.5 Configuring a zone for running VirtualBox
On 24 November 2010 20:04, Orvar Korvar knatte_fnatte_tja...@yahoo.com
wrote:
Oh, thanks.
On 25 November 2010 11:25, Cyril Plisko cyril.pli...@mountall.com wrote:
On Thu, Nov 25, 2010 at 12:08 PM, Petr Benes petr...@gmail.com wrote:
I bet VBox can't run inside the local zone.
Well, you lost. See VirtualBox User Manual
2.4.5 Configuring a zone for running VirtualBox
Hmm. VBox obviously needs to be installed in the global zone before.
Is running it in a local zone significantly safer? Yep for separating
different possible users, but it won't make running guests safer per
se. What is the supposed security merit there?T
On 25 November 2010 11:25, Petr Benes
In message aanlkti=fhh7pknmc1vhztcgvyuofpe1fsft1j5r7r...@mail.gmail.com, Petr
Benes writes:
Hmm. VBox obviously needs to be installed in the global zone before.
Is running it in a local zone significantly safer? Yep for separating
different possible users, but it won't make running guests safer
Limit the damage if the Zone's VBox application is somehow
subverted by the guest OS.
There are VBox modules in the kernel and the containers framework
can't stop misbehavior in kernelspace.
Beyond security, running VBox in a Zone allows you to make
use of Zone Resource Controls and
On 26 November 2010 04:07, Jeff Victor jeff.j.vic...@gmail.com wrote:
On Thu, Nov 25, 2010 at 9:21 AM, Petr Benes petr...@gmail.com wrote:
Limit the damage if the Zone's VBox application is somehow
subverted by the guest OS.
There are VBox modules in the kernel and the containers framework
Uhmmm... A thought just struck me.
Is it really possible to do what I was thinking? If I install WinXP virtually,
in VirtualBox, in a local zone - then I shut down the global zone NIC - how can
I reach the local zone then? It should not be possible?
There is no connection between local zone
I am still confused. cjg wrote at the very bottom, that it is possible to
shutdown internet connection to the global zone and provided a link. I dont
understand what the link says, as I am a Solaris noob. Can someone explain?
I dont feel I have a definitive answer. Is it possible to shut down
Orvar Korvar wrote:
I am still confused. cjg wrote at the very bottom, that it is possible to shutdown internet connection to the global zone and provided a link. I dont understand what the link says, as I am a Solaris noob. Can someone explain?
I dont feel I have a definitive answer. Is it
Ok, now I am confused.
I want to shut down all internet connection to my global zone. I dont want to
shut down the global zone, only the internet connection. I want to reach
internet only from local zones. Some of the local zones will have a server
application running. Others will just be used
On 10/ 1/10 09:42 AM, Orvar Korvar wrote:
Ok, now I am confused.
I want to shut down all internet connection to my global zone. I dont want to
shut down the global zone, only the internet connection. I want to reach
internet only from local zones. Some of the local zones will have a server
Ian,
I believe that you are correct in your comment about running VirtualBox
in a zone. Why I haven't attempted it myself, I believe that VirtualBox
will not work from a zone because VirtualBox needs to load kernel modules.
here is an example:
ultra20 /root 401 # modinfo | grep -i vbox
175
VBox definitely works in zones. It installs a global zone SMF service,
VBoxService, to take care of loading the kernel modules since this can't
be done by a NGZ.
see http://www.virtualbox.org/changeset/24240
--Glenn
Jerry Kemp wrote:
Ian,
I believe that you are correct in your comment
On 10/ 1/10 10:33 AM, Glenn Faden wrote:
VBox definitely works in zones. It installs a global zone SMF service,
VBoxService, to take care of loading the kernel modules since this
can't be done by a NGZ.
see http://www.virtualbox.org/changeset/24240
Ah, so I was correct is stating VirtualBox
I stand corrected.
Thanks for the update Glenn.
Jerry
On 09/30/10 16:33, Glenn Faden wrote:
VBox definitely works in zones. It installs a global zone SMF service,
VBoxService, to take care of loading the kernel modules since this can't
be done by a NGZ.
see
Not true. b134 has crossbow and you can configure it such that the global zone
does not have access to to the internet.
See http://chrisgerhard.wordpress.com/2009/01/01/http-proxy-in-a-zone/
--chris
--
This message posted from opensolaris.org
___
I want to shut down the global zone, and want to surf only from local zones.
You mean this is not possible?
I dont really understand the implications of your post. What are you trying to
say? That I must use Crossbow in b134? Or, that my plan is not possible to do?
Or, that I should not shut
--- Original message ---
From: Orvar Korvar knatte_fnatte_tja...@yahoo.com
To: zones-discuss@opensolaris.org
Sent: 29.9.'10, 10:13
I want to shut down the global zone, and want to surf only from local
zones. You mean this is not possible?
Not possible
I dont really understand the
Ok, so it is impossible to shutdown internet connection to the global zone and
surf only from the local zones. If I want to surf from the local zones, the
global zone's NIC must be activated. I suspect a hacker will attack the global
zone, instead of the local zone that I surf from.
Are there
Orvar Korvar wrote:
Ok, so it is impossible to shutdown internet connection to the global zone
and surf only from the local zones. If I want to surf from the local zones,
the global zone's NIC must be activated. I suspect a hacker will attack the
global zone, instead of the local zone that
Hi
U cannot shutdown gz
Gz run the kernel and all servies for ngz
But can setup firewall such that to restrict acces to ip tcp service and
port
--- Original message ---
From: Orvar Korvar knatte_fnatte_tja...@yahoo.com
To: zones-discuss@opensolaris.org
Sent: 29.9.'10, 13:33
Ok, so
Is there a way to disable all remote connections to the GZ? In other
words, couldn't you use a firewall to reject connections on all ports to
the GZ? That would effectively deny remote access to the GZ without
having to disable any network interfaces.
Of course, disabling the GZ's
Assuming you're using the shared IP stack (default), it is sufficient
for the global zone interface(s) to be plumbed so that the non-global
zones can use logical instances of the interface(s). So setting the GZ
interfaces as down' will prevent network access to/from the global zone.
--Glenn
Here is more info on this:
http://www.opensolaris.org/jive/thread.jspa?messageID=501153#501153
--
This message posted from opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org
If you configure a zone to use the exclusive-IP feature, the global
zone will not be able to use the zone's network interfaces. See the
zonecfg(1M) man page.
On Sat, Sep 25, 2010 at 6:23 AM, Orvar Korvar
knatte_fnatte_tja...@yahoo.com wrote:
I am a home user with a PC and two SunRay2.
I wonder
On Sun, Sep 26, 2010 at 5:03 PM, Orvar Korvar
knatte_fnatte_tja...@yahoo.com wrote:
Ok, so I shut down e1000g0 which means my global zone can not access
internet. The local zone will have e1000g0:1 which I do not shut down, which
means the local zone can access internet. Correct?
But, if we
: knatte_fnatte_tja...@yahoo.com
To: zones-discuss@opensolaris.org
Subject: Re: [zones-discuss] Possible to use zones for hardening? Security?
Is it that simple?!
I just disable my interface. Maybe with something similar to
# ifconfig e1000 down
or something. I have to check the syntax
Ok, so I shut down e1000g0 which means my global zone can not access internet.
The local zone will have e1000g0:1 which I do not shut down, which means the
local zone can access internet. Correct?
But, if we look at this picture
I am a home user with a PC and two SunRay2.
I wonder if it is possible to shut down all internet connections to my global
zone, and create a zone with VirtualBox to reach internet?
1) global zone: no internet connection
2) zone: virtualbox + Win7 to surf the web, for me
3) zone: virtualbox +
Is it that simple?!
I just disable my interface. Maybe with something similar to
# ifconfig e1000 down
or something. I have to check the syntax.
And then everything is done? But, my zones, how can they reach internet if the
global interface is disabled? I dont get it.
--
This message posted
41 matches
Mail list logo