Date: Thu, 15 May 2014 01:07:33 +0800 From: Julian Elischer <julian@freebsd.org> To: Miroslav Lachman <000.fbsd@quip.cz> Cc: FreeBSD Net <freebsd-net@freebsd.org> Subject: Re: Best practices with network settings for virtualization Message-ID: <5373A2D5.4050303@freebsd.org> In-Reply-To: <537259F1.7070908@quip.cz> References: <5371510E.40302@quip.cz> <53723D3E.7030307@freebsd.org> <537259F1.7070908@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/14/14, 1:44 AM, Miroslav Lachman wrote: > Julian Elischer wrote: >> On 5/13/14, 6:54 AM, Miroslav Lachman wrote: >>> I originaly posted this to virtualization@ list week ago. I didn't >>> recieved any answer, so maybe this list is better for questions like >>> the following. >>> >>> I would like to ask some really experienced person - what is the best >>> way to run virtual guests connected to network with public IPs? >>> >>> I think many people run unsecure setup with guests with simple >>> bridged >>> network. >>> >>> I know there are many options with tun, bridge, epair, VDE, Open >>> vSwitch etc., my main concern is the setup of network where each >>> guest >>> can use only predefined MAC and predefined IP(s). If some malicious >>> user or malware in guest OS tried to change MAC od IP, I would >>> like to >>> disallow that or do not allow any offending traffic to reach outside >>> network or any other guest running on the same machine. >>> Guests can be VirtualBox, Bhyve or anything else. >> Assuming you mean virtualization like bhyve and not virtualization >> like >> jails, ad that you can use private addresses for the VMs, you can >> still >> run each virtual machine inside a VNET jail, then using something like >> epair you can connect the jails to a central 'router' jail that runs >> ipfw and enforces what each jail sends out. >> >> If you want actual routable addresses on each jail (so that the jail >> sees the outside workd directly it's a bit more difficult because you >> can't act as a 'router' in the middle. Maybe others have more ideas. >> >> If you need to bridge a bunch of virtual machines so that they have >> addressable interfaces. you can run bhyve or VB inside a vnet jail as >> above but each jail would need to do its own enforcing by having >> its own >> ipfw, listenning on the virtual interface that is attaching to the >> bridge. I have not done htis but I'm sure it can be done. you'll >> need to >> experiment. >> just remember that each VNET jail can have it's own firewall and it's >> own interfaces. real or virtual. > > Thank you for your answer. > I am mainly interested in to virtualization like Bhyve or VirtualBox > with routable addresses in guest instances. So it is limited to some > solutions with virtual network switch with IP+MAC ACL capability. > But I didn't find any example of this setup on the internet. > > Are VNET jails of production quality? And can be Bhyve / VirtualBox > guest run inside of them? (each guest in separate vnet jail) > > Miroslav Lachman > there are some incomplete features, but Bhyve and vbox are likley to use just a small subset of functionality of the stack so I'm guessing it would be stable.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5373A2D5.4050303>