From owner-freebsd-net@FreeBSD.ORG Wed May 14 17:07:50 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A7BC7487 for ; Wed, 14 May 2014 17:07:50 +0000 (UTC) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 717B62435 for ; Wed, 14 May 2014 17:07:50 +0000 (UTC) Received: from Julian-MBP3.local (ppp121-45-232-70.lns20.per1.internode.on.net [121.45.232.70]) (authenticated bits=0) by vps1.elischer.org (8.14.8/8.14.8) with ESMTP id s4EH7cUm040945 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 14 May 2014 10:07:42 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <5373A2D5.4050303@freebsd.org> Date: Thu, 15 May 2014 01:07:33 +0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: Miroslav Lachman <000.fbsd@quip.cz> Subject: Re: Best practices with network settings for virtualization References: <5371510E.40302@quip.cz> <53723D3E.7030307@freebsd.org> <537259F1.7070908@quip.cz> In-Reply-To: <537259F1.7070908@quip.cz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 May 2014 17:07:50 -0000 On 5/14/14, 1:44 AM, Miroslav Lachman wrote: > Julian Elischer wrote: >> On 5/13/14, 6:54 AM, Miroslav Lachman wrote: >>> I originaly posted this to virtualization@ list week ago. I didn't >>> recieved any answer, so maybe this list is better for questions like >>> the following. >>> >>> I would like to ask some really experienced person - what is the best >>> way to run virtual guests connected to network with public IPs? >>> >>> I think many people run unsecure setup with guests with simple >>> bridged >>> network. >>> >>> I know there are many options with tun, bridge, epair, VDE, Open >>> vSwitch etc., my main concern is the setup of network where each >>> guest >>> can use only predefined MAC and predefined IP(s). If some malicious >>> user or malware in guest OS tried to change MAC od IP, I would >>> like to >>> disallow that or do not allow any offending traffic to reach outside >>> network or any other guest running on the same machine. >>> Guests can be VirtualBox, Bhyve or anything else. >> Assuming you mean virtualization like bhyve and not virtualization >> like >> jails, ad that you can use private addresses for the VMs, you can >> still >> run each virtual machine inside a VNET jail, then using something like >> epair you can connect the jails to a central 'router' jail that runs >> ipfw and enforces what each jail sends out. >> >> If you want actual routable addresses on each jail (so that the jail >> sees the outside workd directly it's a bit more difficult because you >> can't act as a 'router' in the middle. Maybe others have more ideas. >> >> If you need to bridge a bunch of virtual machines so that they have >> addressable interfaces. you can run bhyve or VB inside a vnet jail as >> above but each jail would need to do its own enforcing by having >> its own >> ipfw, listenning on the virtual interface that is attaching to the >> bridge. I have not done htis but I'm sure it can be done. you'll >> need to >> experiment. >> just remember that each VNET jail can have it's own firewall and it's >> own interfaces. real or virtual. > > Thank you for your answer. > I am mainly interested in to virtualization like Bhyve or VirtualBox > with routable addresses in guest instances. So it is limited to some > solutions with virtual network switch with IP+MAC ACL capability. > But I didn't find any example of this setup on the internet. > > Are VNET jails of production quality? And can be Bhyve / VirtualBox > guest run inside of them? (each guest in separate vnet jail) > > Miroslav Lachman > there are some incomplete features, but Bhyve and vbox are likley to use just a small subset of functionality of the stack so I'm guessing it would be stable.