[Qemu-devel] Disabling outgoing connectiong from within guest

[Qemu-devel] Disabling outgoing connectiong from within guest

[Łukasz Taczuk]

Hi!

I would like to create a sandboxed environment in which random users
would be able to roam freely using ssh.
However, I don't want to allow them to open outgoing connections just
as if the box was offline (even if the guest is compromised).
Basically I would like to have something like reversed user mode
network stack: you can log in to the guest, but once you're in, you
cannot connect to the host nor any other machine.

I tried using the -redir option but it works only when user mode is
enabled which clearly defeats the purpose.
Is there a simple way to do it?

Thanks in advance

-- 
Lukasz Taczuk

Re: [Qemu-devel] Disabling outgoing connectiong from within guest

[Paul Brook]

On Wednesday 18 June 2008, Łukasz Taczuk wrote:
> Hi!
>
> I would like to create a sandboxed environment in which random users
> would be able to roam freely using ssh.
> However, I don't want to allow them to open outgoing connections just
> as if the box was offline (even if the guest is compromised).
> Basically I would like to have something like reversed user mode
> network stack: you can log in to the guest, but once you're in, you
> cannot connect to the host nor any other machine.

Your host OS firewall/packet filter should already be able to do this.
IMHO there's little or no point reimplementing this functionality in qemu.

Paul

Re: [Qemu-devel] Disabling outgoing connectiong from within guest

[Johannes Schindelin]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1187 bytes --]

Hi,

On Thu, 19 Jun 2008, Paul Brook wrote:

> On Wednesday 18 June 2008, Łukasz Taczuk wrote:
>
> > I would like to create a sandboxed environment in which random users 
> > would be able to roam freely using ssh. However, I don't want to allow 
> > them to open outgoing connections just as if the box was offline (even 
> > if the guest is compromised). Basically I would like to have something 
> > like reversed user mode network stack: you can log in to the guest, 
> > but once you're in, you cannot connect to the host nor any other 
> > machine.
> 
> Your host OS firewall/packet filter should already be able to do this. 
> IMHO there's little or no point reimplementing this functionality in 
> qemu.

Except that Lukasz wrote about users in the sandboxed environment, not all 
users of the _host_ machine.

So there is obviously a point in implementing this in QEmu, _especially_ 
when you use a proprietary guest OS which you cannot fully trust.

Lukasz: I have had the need myself, and have some crude code to do that.  
If you want to use it as a starting point, and want to develop it into 
something really usable, give me a shout and I send you my patch.

Ciao,
Dscho

Re: [Qemu-devel] Disabling outgoing connectiong from within guest

[Paul Brook]

On Friday 20 June 2008, Johannes Schindelin wrote:
> Hi,
>
> On Thu, 19 Jun 2008, Paul Brook wrote:
> > On Wednesday 18 June 2008, Łukasz Taczuk wrote:
> > > I would like to create a sandboxed environment in which random users
> > > would be able to roam freely using ssh. However, I don't want to allow
> > > them to open outgoing connections just as if the box was offline (even
> > > if the guest is compromised). Basically I would like to have something
> > > like reversed user mode network stack: you can log in to the guest,
> > > but once you're in, you cannot connect to the host nor any other
> > > machine.
> >
> > Your host OS firewall/packet filter should already be able to do this.
> > IMHO there's little or no point reimplementing this functionality in
> > qemu.
>
> Except that Lukasz wrote about users in the sandboxed environment, not all
> users of the _host_ machine.

Right. That's why you want to do the firewalling/sandboxing on the host. If 
you don't trust your host OS you're already screwed.

Paul

Re: [Qemu-devel] Disabling outgoing connectiong from within guest

[Ben Taylor]

On Fri, Jun 20, 2008 at 9:13 AM, Paul Brook <paul@codesourcery.com> wrote:
> On Friday 20 June 2008, Johannes Schindelin wrote:
>> Hi,
>>
>> On Thu, 19 Jun 2008, Paul Brook wrote:
>> > On Wednesday 18 June 2008, Łukasz Taczuk wrote:
>> > > I would like to create a sandboxed environment in which random users
>> > > would be able to roam freely using ssh. However, I don't want to allow
>> > > them to open outgoing connections just as if the box was offline (even
>> > > if the guest is compromised). Basically I would like to have something
>> > > like reversed user mode network stack: you can log in to the guest,
>> > > but once you're in, you cannot connect to the host nor any other
>> > > machine.
>> >
>> > Your host OS firewall/packet filter should already be able to do this.
>> > IMHO there's little or no point reimplementing this functionality in
>> > qemu.
>>
>> Except that Lukasz wrote about users in the sandboxed environment, not all
>> users of the _host_ machine.
>
> Right. That's why you want to do the firewalling/sandboxing on the host. If
> you don't trust your host OS you're already screwed.

So in this situation, you're going to have a filter on the tap
device, that does something like:

allow incoming to port 22 (he did say ssh)

assuming guest is DHCP'd
allow incoming to port 68 (DHCP)
allow outgoing to port 68 (DHCP)

maybe allow dns so
allow incoming to port 53 (DNS) from dns server
allow outgoing to port 53 (DNS) to dns server

deny everything else incoming or outgoing