From owner-freebsd-virtualization@FreeBSD.ORG Sun May 4 12:57:58 2014 Return-Path: Delivered-To: freebsd-virtualization@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DBF914BE for ; Sun, 4 May 2014 12:57:58 +0000 (UTC) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9A85D123D for ; Sun, 4 May 2014 12:57:58 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 5F6482842F for ; Sun, 4 May 2014 14:57:49 +0200 (CEST) Received: from [192.168.1.2] (ip-89-177-49-222.net.upcbroadband.cz [89.177.49.222]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 786E328426 for ; Sun, 4 May 2014 14:57:48 +0200 (CEST) Message-ID: <5366394B.6040500@quip.cz> Date: Sun, 04 May 2014 14:57:47 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: freebsd-virtualization@freebsd.org Subject: Best practices with network settings for virtualization Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 May 2014 12:57:58 -0000 I would like to ask some really experienced person - what is the best way to run virtual guests connected to network with public IPs? I think many people run unsecure setup with guests with simple bridged network. I know there are many options with tun, bridge, epair, VDE, Open vSwitch etc., my main concern is the setup of network where each guest can use only predefined MAC and predifined IP(s). If some malicious user or malware in guest OS tried to change MAC od IP, I would like to disallow that or do not allow any offending traffic to reach outside network or any other guest running on the same machine. Guests can be VirtualBox, Bhyve or anything else. I really appreciate any help or ideas. -- Miroslav Lachman PS: I don't know if this is the best lsit to ask, maybe freebsd-net@ is better place?