From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1K95PO-0006dY-RR
	for qemu-devel@nongnu.org; Wed, 18 Jun 2008 17:41:38 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1K95PN-0006ch-7E
	for qemu-devel@nongnu.org; Wed, 18 Jun 2008 17:41:38 -0400
Received: from [199.232.76.173] (port=43604 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1K95PN-0006cd-1I
	for qemu-devel@nongnu.org; Wed, 18 Jun 2008 17:41:37 -0400
Received: from rv-out-0708.google.com ([209.85.198.242]:24234)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <taczuk@gmail.com>) id 1K95PM-0000cX-Of
	for qemu-devel@nongnu.org; Wed, 18 Jun 2008 17:41:36 -0400
Received: by rv-out-0708.google.com with SMTP id f25so5190736rvb.22
	for <qemu-devel@nongnu.org>; Wed, 18 Jun 2008 14:41:34 -0700 (PDT)
Message-ID: <be6fd6ab0806181441w7816d955j82cc12d5f991fa04@mail.gmail.com>
Date: Wed, 18 Jun 2008 23:41:34 +0200
From: "=?ISO-8859-2?Q?=A3ukasz_Taczuk?=" <taczuk@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: [Qemu-devel] Disabling outgoing connectiong from within guest
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

Hi!

I would like to create a sandboxed environment in which random users
would be able to roam freely using ssh.
However, I don't want to allow them to open outgoing connections just
as if the box was offline (even if the guest is compromised).
Basically I would like to have something like reversed user mode
network stack: you can log in to the guest, but once you're in, you
cannot connect to the host nor any other machine.

I tried using the -redir option but it works only when user mode is
enabled which clearly defeats the purpose.
Is there a simple way to do it?

Thanks in advance

-- 
Lukasz Taczuk