From owner-freebsd-net@FreeBSD.ORG  Mon May 12 22:54:17 2014
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 1704E904
 for <freebsd-net@freebsd.org>; Mon, 12 May 2014 22:54:17 +0000 (UTC)
Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id CA3362EC0
 for <freebsd-net@freebsd.org>; Mon, 12 May 2014 22:54:16 +0000 (UTC)
Received: from elsa.codelab.cz (localhost [127.0.0.1])
 by elsa.codelab.cz (Postfix) with ESMTP id 1256828423
 for <freebsd-net@freebsd.org>; Tue, 13 May 2014 00:54:08 +0200 (CEST)
Received: from [192.168.1.2] (ip-89-177-49-222.net.upcbroadband.cz
 [89.177.49.222])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (No client certificate requested)
 by elsa.codelab.cz (Postfix) with ESMTPSA id 3BCEA28422
 for <freebsd-net@freebsd.org>; Tue, 13 May 2014 00:54:07 +0200 (CEST)
Message-ID: <5371510E.40302@quip.cz>
Date: Tue, 13 May 2014 00:54:06 +0200
From: Miroslav Lachman <000.fbsd@quip.cz>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
 rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14
MIME-Version: 1.0
To: FreeBSD Net <freebsd-net@freebsd.org>
Subject: Best practices with network settings for virtualization
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 May 2014 22:54:17 -0000

I originaly posted this to virtualization@ list week ago. I didn't 
recieved any answer, so maybe this list is better for questions like the 
following.

I would like to ask some really experienced person - what is the best 
way to run virtual guests connected to network with public IPs?

I think many people run unsecure setup with guests with simple bridged 
network.

I know there are many options with tun, bridge, epair, VDE, Open vSwitch 
etc., my main concern is the setup of network where each guest can use 
only predefined MAC and predefined IP(s). If some malicious user or 
malware in guest OS tried to change MAC od IP, I would like to disallow 
that or do not allow any offending traffic to reach outside network or 
any other guest running on the same machine.
Guests can be VirtualBox, Bhyve or anything else.

I really appreciate any help or ideas.

--
Miroslav Lachman