Date: Fri, 24 Oct 2008 14:22:18 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: "Marc G. Fournier" <scrappy@hub.org> Cc: freebsd-net@freebsd.org Subject: Re: tap devices ... restricting IP? Message-ID: <alpine.BSF.1.10.0810241419200.64855@fledge.watson.org> In-Reply-To: <AAF0D5CFDA1476A1AF36A900@ganymede.hub.org> References: <AAF0D5CFDA1476A1AF36A900@ganymede.hub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 22 Oct 2008, Marc G. Fournier wrote: > Is it possible to assign an IP to a tap device, used by something like QEMU, > such that someone *inside* the QEMU environment can't modify? Or, if they > do modify their own IP, the network inside of QEMU will break, as the > internal IP doesn't match what is attached to tap? > > I'm not seeing anything to that effect in the tap manual, but the part > talking about 'control' seems to indicate that you can do this ... Use a firewall to prevent receiving packets over the interface from any IP other than the one you are willing to accept. Think of a tap interface as simply being a normal ethernet interface hung off a network to the VM and treat it that way in the rules -- for example, dropping IP from addresses other than the designated one when received from the tap interface. Robert N M Watson Computer Laboratory University of Cambridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.1.10.0810241419200.64855>