On Wed, 22 Oct 2008, Marc G. Fournier wrote:
Is it possible to assign an IP to a tap device, used by something like QEMU,
such that someone *inside* the QEMU environment can't modify? Or, if they
do modify their own IP, the network inside of QEMU will break, as the
internal IP doesn't match what is attached to tap?
I'm not seeing anything to that effect in the tap manual, but the part
talking about 'control' seems to indicate that you can do this ...
Use a firewall to prevent receiving packets over the interface from any IP
other than the one you are willing to accept. Think of a tap interface as
simply being a normal ethernet interface hung off a network to the VM and
treat it that way in the rules -- for example, dropping IP from addresses
other than the designated one when received from the tap interface.
Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
