Hi, On Fri, 20 Nov 2020 at 19:26, Christopher Baines <m...@cbaines.net> wrote: > Zhu Zihao <all_but_l...@163.com> writes: > >> I found guix container "created by `guix environment --container` or >> `guix system container`" is very useful to isolate some service. But >> it only supports fully isolated network namespace or just share with >> host, it's not so safe IMO. > > I'll assume that a fully isolated network namespace is safer in whatever > way you're referring to than a shared network namespace. However, for a > shared network namespace, what threats is that not safe in respect to? > > In the shared network namespace scenario, you are free to use a > firewall, which could help protect against threats coming from other > machines, for example by creating a list of IP addresses which are > allowed to connect, and dropping any other traffic.
I do not know about the initial motivation and I do not know either if it makes sense in the context of “guix environment”. One point is that Docker [1] provides a way to specify the firewall rules. Well, somehow, something similar as ’--share’ but for network. 1: <https://docs.docker.com/config/containers/container-networking/> All the best, simon
