On 14/03/09, Rick Leir wrote: > On 08/03/2014 12:00 PM, linux-request [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca wrote: > > i got the attached -- a proposal for a new linux firewalls book > >(with the identifying preamble removed). i'm going to go over it this > >weekend, but i'm curious as to what others think -- if you were > >looking for a linux firewalls book and you picked one off the shelf > >with the attached outline, would it interest you? > > > > are there critical topics missing? are there topics listed that have > >little value? etc, > >rday > Hi Robert Hi Rick, > The attachment did not get to me, but maybe I can comment without > it. I would want to see a users guide to Shorewall and anything > similar. And for container virtualization, like LXC and OpenVZ, > where the kernel is shared with the host: what if any firewalling > can you do from within the container? >From the kernel perspective we have network namespaces that have their own network devices. A physical device can be transferred from one network namespace to another and pairs of virtual network devices can be created as tunnels between network namespaces. Once you have done that, you can run a standard firewall inside your container. For example, if a physical machine has two physical ethernets (eth0 and eth1) you could have eth0 be the host machine's network interface, then in a container, transfer eth1 from the host to the container and then set up a network in the container that has exclusive access to eth1. You could also set up a virtual ethernet device in each of two containers and route packets directly between them with no other container nor the host having access to that flow. > Rick slainte mhath, RGB -- Richard Guy Briggs -- ~\ -- ~\ <hpv.tricolour.net> <www.TriColour.net> -- \___ o \@ @ Ride yer bike! Ottawa, ON, CANADA -- Lo_>__M__\\/\%__\\/\% Vote! -- <greenparty.ca>_____GTVS6#790__(*)__(*)________(*)(*)_________________