Ok, thank you for your clarification.
I think I prefer Crossbow because it is a "modern" approach.
Regarding threat model, I prefer to have as much separated traffic as possible,
therefore I prefer exclusive-ip instead of shared ip.
--
This message posted from opensolaris.org
_
On 11/28/10 14:50, Orvar Korvar wrote:
> Sorry, I didnt really get that. Could you explain a bit what you did, for a
> solaris noob? You just shut down the global NIC, and the local zone NIC still
> works? Yes?
>
> A question: I see that you use shared ip. Isn't that less safe than
> exclusive-
Sorry, I didnt really get that. Could you explain a bit what you did, for a
solaris noob? You just shut down the global NIC, and the local zone NIC still
works? Yes?
A question: I see that you use shared ip. Isn't that less safe than
exclusive-ip because several zones share the same NIC in your
In message <1481154627.91285535031577.javamail.tweb...@sf-app1>, Orvar Korvar w
rites:
>Ok, so I shut down e1000g0 which means my global zone can not access internet.
> The local zone will have e1000g0:1 which I do not shut down, which means the
>local zone can access internet. Correct?
Works for
:22:56 -0800
> From: knatte_fnatte_tja...@yahoo.com
> To: zones-discuss@opensolaris.org
> Subject: Re: [zones-discuss] Possible to use zones for hardening? Security?
>
> So you suspect there is no need to shut down the global NIC, if the zone uses
> exclusive IP and it is on
On 26 November 2010 13:25, Orvar Korvar wrote:
> If hacker exploits a bug in the VBox driver and corrupts kernel memory so he
> gets into the global zone, then maybe it is safer to not use VBox?
If such bug exists then it'll be safer to not use VBox, however, I'm
not aware of any such bug. VBox
If hacker exploits a bug in the VBox driver and corrupts kernel memory so he
gets into the global zone, then maybe it is safer to not use VBox? And only use
local zones for reaching the outside world? And shutdown the NIC to the global
zone?
--
This message posted from opensolaris.org
_
So you suspect there is no need to shut down the global NIC, if the zone uses
exclusive IP and it is on a separate subnet and there is no routing between the
zones?
Ok, that is an interesting thought. What do you other people say? In that case
a local zone can not ping (reach) the global zone?
On 26 November 2010 10:50, Orvar Korvar wrote:
> petrben,
> Yes that is my question too: "is running in a local zone safer?". That is why
> I created this thread.
Yep and I found your question interesting and want to know more as well.
If you are the only administrator on the machine is there an
On 26 Nov 2010, at 10:50 , Orvar Korvar wrote:
> petrben,
> Yes that is my question too: "is running in a local zone safer?". That is why
> I created this thread.
>
> I was thinking something like this: If someone hacks my WinXP, then he must
> bypass VBox. Then he is inside the local zone. Th
petrben,
Yes that is my question too: "is running in a local zone safer?". That is why I
created this thread.
I was thinking something like this: If someone hacks my WinXP, then he must
bypass VBox. Then he is inside the local zone. Then he must get root access to
the local zone. Then he must b
On 26 November 2010 04:07, Jeff Victor wrote:
> On Thu, Nov 25, 2010 at 9:21 AM, Petr Benes wrote:
>>> Limit the damage if the Zone's VBox application is somehow
>>> subverted by the guest OS.
>>
>> There are VBox modules in the kernel and the containers framework
>> can't stop misbehavior in ker
On Thu, Nov 25, 2010 at 9:21 AM, Petr Benes wrote:
>> Limit the damage if the Zone's VBox application is somehow
>> subverted by the guest OS.
>
> There are VBox modules in the kernel and the containers framework
> can't stop misbehavior in kernelspace.
The use of kernel modules in VBox doesn't w
> Limit the damage if the Zone's VBox application is somehow
> subverted by the guest OS.
There are VBox modules in the kernel and the containers framework
can't stop misbehavior in kernelspace.
>
>
> Beyond security, running VBox in a Zone allows you to make
> use of Zone Resource Controls and C
In message , Petr
Benes writes:
>Hmm. VBox obviously needs to be installed in the global zone before.
>Is running it in a local zone significantly safer? Yep for separating
>different possible users, but it won't make running guests safer per
>se. What is the supposed security merit there?T
Finer
Hmm. VBox obviously needs to be installed in the global zone before.
Is running it in a local zone significantly safer? Yep for separating
different possible users, but it won't make running guests safer per
se. What is the supposed security merit there?T
On 25 November 2010 11:25, Petr Benes wro
Oh, thanks.
On 25 November 2010 11:25, Cyril Plisko wrote:
> On Thu, Nov 25, 2010 at 12:08 PM, Petr Benes wrote:
>> I bet VBox can't run inside the local zone.
>
> Well, you lost. See VirtualBox User Manual
>
> 2.4.5 Configuring a zone for running VirtualBox
>
>>
>> On 24 November 2010 20:04, Or
On Thu, Nov 25, 2010 at 12:08 PM, Petr Benes wrote:
> I bet VBox can't run inside the local zone.
Well, you lost. See VirtualBox User Manual
2.4.5 Configuring a zone for running VirtualBox
>
> On 24 November 2010 20:04, Orvar Korvar
> wrote:
>> Uhmmm... A thought just struck me.
>>
>> Is it r
On 11/25/10 11:08 PM, Petr Benes wrote:
I bet VBox can't run inside the local zone.
See the rest of this thread!
--
Ian.
___
zones-discuss mailing list
zones-discuss@opensolaris.org
I bet VBox can't run inside the local zone.
On 24 November 2010 20:04, Orvar Korvar wrote:
> Uhmmm... A thought just struck me.
>
> Is it really possible to do what I was thinking? If I install WinXP
> virtually, in VirtualBox, in a local zone - then I shut down the global zone
> NIC - how can
Uhmmm... A thought just struck me.
Is it really possible to do what I was thinking? If I install WinXP virtually,
in VirtualBox, in a local zone - then I shut down the global zone NIC - how can
I reach the local zone then? It should not be possible?
There is no connection between local zone an
Orvar Korvar wrote:
I am still confused. "cjg" wrote at the very bottom, that it is possible to shutdown internet connection to the global zone and provided a link. I dont understand what the link says, as I am a Solaris noob. Can someone explain?
I dont feel I have a definitive answer. Is it
I am still confused. "cjg" wrote at the very bottom, that it is possible to
shutdown internet connection to the global zone and provided a link. I dont
understand what the link says, as I am a Solaris noob. Can someone explain?
I dont feel I have a definitive answer. Is it possible to shut down
Not true. b134 has crossbow and you can configure it such that the global zone
does not have access to to the internet.
See http://chrisgerhard.wordpress.com/2009/01/01/http-proxy-in-a-zone/
--chris
--
This message posted from opensolaris.org
___
zon
I stand corrected.
Thanks for the update Glenn.
Jerry
On 09/30/10 16:33, Glenn Faden wrote:
> VBox definitely works in zones. It installs a global zone SMF service,
> VBoxService, to take care of loading the kernel modules since this can't
> be done by a NGZ.
>
> see http://www.virtualbox.org/
On 10/ 1/10 10:33 AM, Glenn Faden wrote:
VBox definitely works in zones. It installs a global zone SMF service,
VBoxService, to take care of loading the kernel modules since this
can't be done by a NGZ.
see http://www.virtualbox.org/changeset/24240
Ah, so I was correct is stating VirtualBox
VBox definitely works in zones. It installs a global zone SMF service,
VBoxService, to take care of loading the kernel modules since this can't
be done by a NGZ.
see http://www.virtualbox.org/changeset/24240
--Glenn
Jerry Kemp wrote:
Ian,
I believe that you are correct in your comment about
Ian,
I believe that you are correct in your comment about running VirtualBox
in a zone. Why I haven't attempted it myself, I believe that VirtualBox
will not work from a zone because VirtualBox needs to load kernel modules.
here is an example:
ultra20 /root 401 # modinfo | grep -i vbox
175
On 10/ 1/10 09:42 AM, Orvar Korvar wrote:
Ok, now I am confused.
I want to shut down all internet connection to my global zone. I dont want to
shut down the global zone, only the internet connection. I want to reach
internet only from local zones. Some of the local zones will have a server
ap
Ok, now I am confused.
I want to shut down all internet connection to my global zone. I dont want to
shut down the global zone, only the internet connection. I want to reach
internet only from local zones. Some of the local zones will have a server
application running. Others will just be used
Assuming you're using the shared IP stack (default), it is sufficient
for the global zone interface(s) to be plumbed so that the non-global
zones can use logical instances of the interface(s). So setting the GZ
interfaces as "down' will prevent network access to/from the global zone.
--Glenn
Is there a way to disable all remote connections to the GZ? In other
words, couldn't you use a firewall to reject connections on all ports to
the GZ? That would effectively deny remote access to the GZ without
having to disable any network interfaces.
Of course, disabling the GZ's interface(
Hi
U cannot shutdown gz
Gz run the kernel and all servies for ngz
But can setup firewall such that to restrict acces to ip tcp service and
port
--- Original message ---
From: Orvar Korvar
To: zones-discuss@opensolaris.org
Sent: 29.9.'10, 13:33
Ok, so it is impossible to shutdown int
Orvar Korvar wrote:
> Ok, so it is impossible to shutdown internet connection to the global zone
> and surf only from the local zones. If I want to surf from the local zones,
> the global zone's NIC must be activated. I suspect a hacker will attack the
> global zone, instead of the local zone th
Ok, so it is impossible to shutdown internet connection to the global zone and
surf only from the local zones. If I want to surf from the local zones, the
global zone's NIC must be activated. I suspect a hacker will attack the global
zone, instead of the local zone that I surf from.
Are there a
--- Original message ---
From: Orvar Korvar
To: zones-discuss@opensolaris.org
Sent: 29.9.'10, 10:13
I want to shut down the global zone, and want to surf only from local
zones. You mean this is not possible?
Not possible
I dont really understand the implications of your post. What
I want to shut down the global zone, and want to surf only from local zones.
You mean this is not possible?
I dont really understand the implications of your post. What are you trying to
say? That I must use Crossbow in b134? Or, that my plan is not possible to do?
Or, that I should not shut d
On Sun, Sep 26, 2010 at 5:03 PM, Orvar Korvar
wrote:
> Ok, so I shut down e1000g0 which means my global zone can not access
> internet. The local zone will have e1000g0:1 which I do not shut down, which
> means the local zone can access internet. Correct?
>
> But, if we look at this picture
> ht
If you configure a zone to use the exclusive-IP feature, the global
zone will not be able to use the zone's network interfaces. See the
zonecfg(1M) man page.
On Sat, Sep 25, 2010 at 6:23 AM, Orvar Korvar
wrote:
> I am a home user with a PC and two SunRay2.
>
> I wonder if it is possible to shut d
Here is more info on this:
http://www.opensolaris.org/jive/thread.jspa?messageID=501153ρΊ–΅
--
This message posted from opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org
Ok, so I shut down e1000g0 which means my global zone can not access internet.
The local zone will have e1000g0:1 which I do not shut down, which means the
local zone can access internet. Correct?
But, if we look at this picture
http://blogs.sun.com/droux/entry/private_virtual_networks_for_solar
; From: knatte_fnatte_tja...@yahoo.com
> To: zones-discuss@opensolaris.org
> Subject: Re: [zones-discuss] Possible to use zones for hardening? Security?
>
> Is it that simple?!
>
> I just disable my interface. Maybe with something similar to
> # ifconfig e1000 down
> or somethi
Is it that simple?!
I just disable my interface. Maybe with something similar to
# ifconfig e1000 down
or something. I have to check the syntax.
And then everything is done? But, my zones, how can they reach internet if the
global interface is disabled? I dont get it.
--
This message posted fro
on the global zone all you need to do is disable your interface.
> Date: Sat, 25 Sep 2010 03:23:52 -0700
> From: knatte_fnatte_tja...@yahoo.com
> To: zones-discuss@opensolaris.org
> Subject: [zones-discuss] Possible to use zones for hardening? Security?
>
> I am a home user with a PC and two Su
44 matches
Mail list logo