From owner-freebsd-net@FreeBSD.ORG Wed Oct 22 05:07:29 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7F992106566B for ; Wed, 22 Oct 2008 05:07:29 +0000 (UTC) (envelope-from bakul@bitblocks.com) Received: from mail.bitblocks.com (mail.bitblocks.com [64.142.15.60]) by mx1.freebsd.org (Postfix) with ESMTP id 65F6F8FC1E for ; Wed, 22 Oct 2008 05:07:29 +0000 (UTC) (envelope-from bakul@bitblocks.com) Received: from bitblocks.com (localhost.bitblocks.com [127.0.0.1]) by mail.bitblocks.com (Postfix) with ESMTP id E92635B29; Tue, 21 Oct 2008 21:49:01 -0700 (PDT) To: "Marc G. Fournier" In-reply-to: Your message of "Wed, 22 Oct 2008 01:01:39 -0300." References: Comments: In-reply-to "Marc G. Fournier" message dated "Wed, 22 Oct 2008 01:01:39 -0300." Date: Tue, 21 Oct 2008 21:49:01 -0700 From: Bakul Shah Message-Id: <20081022044901.E92635B29@mail.bitblocks.com> Cc: freebsd-net@freebsd.org Subject: Re: tap devices ... restricting IP? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2008 05:07:29 -0000 On Wed, 22 Oct 2008 01:01:39 -0300 "Marc G. Fournier" wrote: > Is it possible to assign an IP to a tap device, used by something like QEMU, > such that someone *inside* the QEMU environment can't modify? Or, if they do > modify their own IP, the network inside of QEMU will break, as the internal IP > doesn't match what is attached to tap? > > I'm not seeing anything to that effect in the tap manual, but the part talking > about 'control' seems to indicate that you can do this ... This is not something the tap driver does for you. But you can use DHCP to give the qemu machine its own IP address + setup some firewall rules so that no other IP address can be sourced from the qemu machine.