From owner-freebsd-net@FreeBSD.ORG Tue May 13 15:42:07 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E2D5E62A for ; Tue, 13 May 2014 15:42:07 +0000 (UTC) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9CB5022F2 for ; Tue, 13 May 2014 15:42:07 +0000 (UTC) Received: from Julian-MBP3.local (ppp121-45-232-70.lns20.per1.internode.on.net [121.45.232.70]) (authenticated bits=0) by vps1.elischer.org (8.14.8/8.14.8) with ESMTP id s4DFft5p036861 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Tue, 13 May 2014 08:41:58 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <53723D3E.7030307@freebsd.org> Date: Tue, 13 May 2014 23:41:50 +0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD Net Subject: Re: Best practices with network settings for virtualization References: <5371510E.40302@quip.cz> In-Reply-To: <5371510E.40302@quip.cz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2014 15:42:08 -0000 On 5/13/14, 6:54 AM, Miroslav Lachman wrote: > I originaly posted this to virtualization@ list week ago. I didn't > recieved any answer, so maybe this list is better for questions like > the following. > > I would like to ask some really experienced person - what is the > best way to run virtual guests connected to network with public IPs? > > I think many people run unsecure setup with guests with simple > bridged network. > > I know there are many options with tun, bridge, epair, VDE, Open > vSwitch etc., my main concern is the setup of network where each > guest can use only predefined MAC and predefined IP(s). If some > malicious user or malware in guest OS tried to change MAC od IP, I > would like to disallow that or do not allow any offending traffic to > reach outside network or any other guest running on the same machine. > Guests can be VirtualBox, Bhyve or anything else. Assuming you mean virtualization like bhyve and not virtualization like jails, ad that you can use private addresses for the VMs, you can still run each virtual machine inside a VNET jail, then using something like epair you can connect the jails to a central 'router' jail that runs ipfw and enforces what each jail sends out. If you want actual routable addresses on each jail (so that the jail sees the outside workd directly it's a bit more difficult because you can't act as a 'router' in the middle. Maybe others have more ideas. If you need to bridge a bunch of virtual machines so that they have addressable interfaces. you can run bhyve or VB inside a vnet jail as above but each jail would need to do its own enforcing by having its own ipfw, listenning on the virtual interface that is attaching to the bridge. I have not done htis but I'm sure it can be done. you'll need to experiment. just remember that each VNET jail can have it's own firewall and it's own interfaces. real or virtual. > > I really appreciate any help or ideas. > > -- > Miroslav Lachman > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >