Autor: intrigeri Data: Para: The Tails public development discussion list, adev Assunto: Re: [Tails-dev] VirtualBox host software vs. networking
Hi,
ade: ping about what follows :)
intrigeri wrote (01 Mar 2013 13:38:05 GMT) : > Hi, > ade wrote (12 Feb 2013 18:59:26 GMT) :
>> Step I did: >> 1. Install virtualbox > Just FTR, what host OS / version of VirtualBox were you using? >> 2. Modprobe remove the vboxnetflt kernel module >> 3. Setup various tails virtual machines to test them out, and ran
>> do_not_ever_run_me script on all guests and the host machine to try out
>> manual iptables configurations. > Just to be clear, did you reset the firewall rules on the host system
> before or after starting the VirtualBox services and virtual machines?
> (I'm concerned VirtualBox might play with firewall rules on the host
> e.g. when starting a VM, so this may be worth double-checking.) >> As a result of unloading the vboxnetflt kernel module virtual machines
>> would not start if they had a host-only networking adapter, or bridge mode
>> networking adapter attached to them. >> This is what we expect. > OK. >> With vboxnetflt kernel module unloaded, the NAT networking mode still
>> functioned correctly, but bridge mode would not. This is good. >> I did a very basic and quick test of iptables and with NAT mode networking
>> enabled, the host iptables firewall was still able to control the virtual
>> machines traffic. >> Setting the OUTPUT policy of the host machine iptables firewall to DROP
>> stopped the guest tails from sending outbound pings to the host machines
>> eth0 interface > Good. >> So it looks like Virtualbox could be shipped without support for bridge
>> networking, or without any networking support at all. In future it looks
>> promising that the NAT mode could be useful to provide the guest OS with
>> Tor access. Lack of vboxnetflt should stop bridge mode and associated
>> leaking from the guest OS if the host iptables firewall is configured
>> appropriately. > Good to know. >> Is there any interest in shipping Virtualbox with bridge mode disabled (or
>> no networking at all) but include a script that only root can run, to
>> enable bridge mode for those that want to use it? > Well, either we are able to support networking without breaking Tails
> properties, and in which case we should just enable it, or we are not
> able to, and in which case I'd rather not ship such a script. >> What does everyone think about this? > I'm glad to see progress made on this, even though it's progress
> targeted at the step after the next one, it's motivating! I'm still in
> favor of shipping VirtualBox host software with no networking support
> at all (baby steps!) ASAP, and *then* see how we can add
> support networking. > I've tried to summarize the current state of things on
> todo/add_virtualbox_host_software. Help is welcome for the next steps! > Cheers,