From owner-freebsd-net@FreeBSD.ORG Tue May 13 17:44:22 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 77DC5DCB; Tue, 13 May 2014 17:44:22 +0000 (UTC) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3503F2E97; Tue, 13 May 2014 17:44:21 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 7B74528430; Tue, 13 May 2014 19:44:18 +0200 (CEST) Received: from [192.168.1.2] (ip-89-177-49-222.net.upcbroadband.cz [89.177.49.222]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 8AC272842E; Tue, 13 May 2014 19:44:17 +0200 (CEST) Message-ID: <537259F1.7070908@quip.cz> Date: Tue, 13 May 2014 19:44:17 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Julian Elischer Subject: Re: Best practices with network settings for virtualization References: <5371510E.40302@quip.cz> <53723D3E.7030307@freebsd.org> In-Reply-To: <53723D3E.7030307@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2014 17:44:22 -0000 Julian Elischer wrote: > On 5/13/14, 6:54 AM, Miroslav Lachman wrote: >> I originaly posted this to virtualization@ list week ago. I didn't >> recieved any answer, so maybe this list is better for questions like >> the following. >> >> I would like to ask some really experienced person - what is the best >> way to run virtual guests connected to network with public IPs? >> >> I think many people run unsecure setup with guests with simple bridged >> network. >> >> I know there are many options with tun, bridge, epair, VDE, Open >> vSwitch etc., my main concern is the setup of network where each guest >> can use only predefined MAC and predefined IP(s). If some malicious >> user or malware in guest OS tried to change MAC od IP, I would like to >> disallow that or do not allow any offending traffic to reach outside >> network or any other guest running on the same machine. >> Guests can be VirtualBox, Bhyve or anything else. > Assuming you mean virtualization like bhyve and not virtualization like > jails, ad that you can use private addresses for the VMs, you can still > run each virtual machine inside a VNET jail, then using something like > epair you can connect the jails to a central 'router' jail that runs > ipfw and enforces what each jail sends out. > > If you want actual routable addresses on each jail (so that the jail > sees the outside workd directly it's a bit more difficult because you > can't act as a 'router' in the middle. Maybe others have more ideas. > > If you need to bridge a bunch of virtual machines so that they have > addressable interfaces. you can run bhyve or VB inside a vnet jail as > above but each jail would need to do its own enforcing by having its own > ipfw, listenning on the virtual interface that is attaching to the > bridge. I have not done htis but I'm sure it can be done. you'll need to > experiment. > just remember that each VNET jail can have it's own firewall and it's > own interfaces. real or virtual. Thank you for your answer. I am mainly interested in to virtualization like Bhyve or VirtualBox with routable addresses in guest instances. So it is limited to some solutions with virtual network switch with IP+MAC ACL capability. But I didn't find any example of this setup on the internet. Are VNET jails of production quality? And can be Bhyve / VirtualBox guest run inside of them? (each guest in separate vnet jail) Miroslav Lachman