On 5/14/14, 1:44 AM, Miroslav Lachman wrote:
Julian Elischer wrote:
On 5/13/14, 6:54 AM, Miroslav Lachman wrote:
I originaly posted this to virtualization@ list week ago. I didn't
recieved any answer, so maybe this list is better for questions like
the following.
I would like to ask some really experienced person - what is the best
way to run virtual guests connected to network with public IPs?
I think many people run unsecure setup with guests with simple
bridged
network.
I know there are many options with tun, bridge, epair, VDE, Open
vSwitch etc., my main concern is the setup of network where each
guest
can use only predefined MAC and predefined IP(s). If some malicious
user or malware in guest OS tried to change MAC od IP, I would
like to
disallow that or do not allow any offending traffic to reach outside
network or any other guest running on the same machine.
Guests can be VirtualBox, Bhyve or anything else.
Assuming you mean virtualization like bhyve and not virtualization
like
jails, ad that you can use private addresses for the VMs, you can
still
run each virtual machine inside a VNET jail, then using something like
epair you can connect the jails to a central 'router' jail that runs
ipfw and enforces what each jail sends out.
If you want actual routable addresses on each jail (so that the jail
sees the outside workd directly it's a bit more difficult because you
can't act as a 'router' in the middle. Maybe others have more ideas.
If you need to bridge a bunch of virtual machines so that they have
addressable interfaces. you can run bhyve or VB inside a vnet jail as
above but each jail would need to do its own enforcing by having
its own
ipfw, listenning on the virtual interface that is attaching to the
bridge. I have not done htis but I'm sure it can be done. you'll
need to
experiment.
just remember that each VNET jail can have it's own firewall and it's
own interfaces. real or virtual.
Thank you for your answer.
I am mainly interested in to virtualization like Bhyve or VirtualBox
with routable addresses in guest instances. So it is limited to some
solutions with virtual network switch with IP+MAC ACL capability.
But I didn't find any example of this setup on the internet.
Are VNET jails of production quality? And can be Bhyve / VirtualBox
guest run inside of them? (each guest in separate vnet jail)
Miroslav Lachman
there are some incomplete features, but Bhyve and vbox are likley to
use just a
small subset of functionality of the stack so I'm guessing it would
be stable.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[email protected]"
