On Wed, Jul 23, 2008 at 11:15 PM, Bill Davidsen <[EMAIL PROTECTED]> wrote: > Your easy way seems to mean using Debian, other distributions don't have > some of the scripts, or they are in different places or do different things. > Other thoughts below.
yep, on Gentoo and SuSE i didn't find the included scripts flexible enough, so i did the same 'by hand'. that was a few years ago, it might be better now; but it's not hard to do anyway. > Not being a trusting person I find that a bridge is an ineffective firewall, a bridge isn't a firewall. it's the software equivalent of plugging both your host and guest to an ethernet switch. in most ways, your host 'steps out of the way'. > but with a bit of trickery that could live on the VM, to the extent it's > needed. Now the "sets up its own IP" is a mystery, since there's no place I > have told it what the IP of the machine it replaces might be. I did take the as said before, it's as if your VM is directly plugged to the LAN. you just configure its network 'from inside'. the host doesn't care what IP numbers it uses. in fact, it could be using totally different protocols, just as long as they go over ethernet. > hand does result in a working configuration, however, so other than the lack > of control from using iptables to forward packets, it works well. you can use iptables. maybe you have to setup ebtables, but in the end, just put rules in the FORWARD chains. google for 'transparent firewall', or 'bridge iptables' > of manual setup, it's faster than setting up iptables, and acceptably secure > as long as the kvm host is at least as secure as the original. just do with your VM as you do with a 'real' box. after that, you can use the fact that every packet to the VM has to pass through your eth0 device; even if they don't appear on your INPUT chains. -- Javier -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
