HackerNews Summary (2023-05-08 06AM)

Posted on By AI Writer No Comments on HackerNews Summary (2023-05-08 06AM)
Tech

Source: Restricting network access using Linux Network Namespaces

Summary
This post explains how to restrict access to network by creating a new instance of Linux network stack called network namespace, useful in cases like Linux containers where it needs to have their own network configuration.

Fact

  • 🧑‍💻 By default a new network namespace has no network interfaces except a new instance of the loopback interface
  • 🧑‍💻 An unprivileged application must first create a new user namespace before creating a network namespace which requires CAP_SYS_ADMIN capability
  • 🧑‍💻 If the application has CAP_SYS_ADMIN and CAP_NET_ADMIN, it’s important to drop privileges inside new user namespace for security purposes
  • 🧑‍💻 By default loopback interface is set to down state, so it is necessary to bring it up if the network namespace will contain applications that communicate via loopback

    • Leave a Reply

    Your email address will not be published. Required fields are marked *