Javier Guerra wrote:
On Wed, Jul 23, 2008 at 11:15 PM, Bill Davidsen <[EMAIL PROTECTED]> wrote:
Your easy way seems to mean using Debian, other distributions don't have
some of the scripts, or they are in different places or do different things.
Other thoughts below.
yep, on Gentoo and SuSE i didn't find the included scripts flexible
enough, so i did the same 'by hand'. that was a few years ago, it
might be better now; but it's not hard to do anyway.
Not being a trusting person I find that a bridge is an ineffective firewall,
a bridge isn't a firewall. it's the software equivalent of plugging
both your host and guest to an ethernet switch. in most ways, your
host 'steps out of the way'.
Maybe I didn't have my tongue far enough in my cheek... I do know what a
bridge is, etc, I was referring to the desirability of using iptables
for the forwarding. I must have looked at ebtables at one time, the
package is loaded, but I don't remember having any instant "this is
great" moments with it, so I'll have to reread the docs if I need more
than the bridge.
but with a bit of trickery that could live on the VM, to the extent it's
needed. Now the "sets up its own IP" is a mystery, since there's no place I
have told it what the IP of the machine it replaces might be. I did take the
as said before, it's as if your VM is directly plugged to the LAN.
you just configure its network 'from inside'. the host doesn't care
what IP numbers it uses. in fact, it could be using totally different
protocols, just as long as they go over ethernet.
But when the host is really on the network, it uses DHCP to set the IP,
while in a VM it never sends any DHCP packets, the setting of the IP
times out, and I wind up with no IP until I set it. I have checked with
tcpdump, the DHCP requests for IP appear on the bridge, but not on the
eth0 NIC, and so are never seen by the DHCP server.
Do you see this problem, or have any information about it? Obviously
suggestions on fixing this are needed, since the dhcp server is a
candidate for virtualization in the future.
hand does result in a working configuration, however, so other than the lack
of control from using iptables to forward packets, it works well.
you can use iptables. maybe you have to setup ebtables, but in the
end, just put rules in the FORWARD chains. google for 'transparent
firewall', or 'bridge iptables'
of manual setup, it's faster than setting up iptables, and acceptably secure
as long as the kvm host is at least as secure as the original.
just do with your VM as you do with a 'real' box. after that, you can
use the fact that every packet to the VM has to pass through your eth0
device; even if they don't appear on your INPUT chains.
--
Bill Davidsen <[EMAIL PROTECTED]>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
