-
-
Notifications
You must be signed in to change notification settings - Fork 308
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Any kind of VMs and Containers are out of scope - ie. not handled by Portmaster #166
Comments
Is docker related? I remember problem with 1.1.1.1 DNS set in docker daemon causing timeouts and you swore portmaster handles that itself using its own list of DNS like it does with all other DNS reqs. |
I remember stating that the Portmaster would intercept queries, but then corrected myself to saying that it wouldn't. I've now talked with @ppacher about it and we now aren't entirely sure what happens exactly with all the network namespacing and such, as the host does see some of the namespaced information, such as processes. |
Please note that the Portmaster only sees and controls connections that are either destined for, or originate from your host from the view of the network. As Virtual Machines and Containers are usually separate entities on the network, the host only forwards their connections just like a router. You can think of them like a virtual data center, where your host is the main router in and out.
The main benefit of an application firewall, which is what the core of the Portmaster is, is to know which application is communicating over the network. VMs and Containers are (put simply) separate operating systems that the Portmaster cannot feasibly look into. This is the primary reason why this network traffic is not checked by the Portmaster.
If you want to have the benefits of the Portmaster within these system, please install the Portmaster there too.
Additionally, there are a multitude of virtualization systems, and each one has their own structure, interfaces, and quirks. Some use special systems that (inadvertently) make it extremely hard to inspect (and control) their network traffic. This immense amount of depth and edge cases is an additional reason why we cannot venture into this area at the moment.
Affected Technologies
To reduce confusion, we will start listing technologies here that are non-obviously affected:
Docker
On Windows (and OSX) the Portmaster is not capable of intercepting and filtering DNS requests sent from containers as Docker uses a lightweight virtual machine on those platforms.
On Linux, the Portmaster is only able to intercept and filter DNS requests that originate from containers using the hosts networking namespace (i.e. started with
--net=host
). Containers that run in their own networking namespace get routed through the containers network bridge and never enter the hosts incoming/outgoing netfilter chain. Therefore, the Portmaster does not see the packets sent and received by containers and cannot apply any filtering.--net=host
(on Linux) the Portmaster will see and filter connections made by processes in this containers but due an issue with the binary path lookup it may use the wrong profile for the binary that initiated the connection. (i.e. it may use the profile for a binary at path/usr/bin/curl
at the host while the container's "curl" is a different binary)We will re-evaluate this scoping decision at some point in the future. If you have any thoughts about that, please tell us.
We are also working on a good way to communicate this to users where they most need to know about that. If you have any suggestions, please leave a comment.
The text was updated successfully, but these errors were encountered: