Best practices with network settings for virtualization

Julian Elischer julian at freebsd.org
Wed May 14 17:07:50 UTC 2014 

On 5/14/14, 1:44 AM, Miroslav Lachman wrote:
> Julian Elischer wrote:
>> On 5/13/14, 6:54 AM, Miroslav Lachman wrote:
>>> I originaly posted this to virtualization@ list week ago. I didn't
>>> recieved any answer, so maybe this list is better for questions like
>>> the following.
>>>
>>> I would like to ask some really experienced person - what is the best
>>> way to run virtual guests connected to network with public IPs?
>>>
>>> I think many people run unsecure setup with guests with simple 
>>> bridged
>>> network.
>>>
>>> I know there are many options with tun, bridge, epair, VDE, Open
>>> vSwitch etc., my main concern is the setup of network where each 
>>> guest
>>> can use only predefined MAC and predefined IP(s). If some malicious
>>> user or malware in guest OS tried to change MAC od IP, I would 
>>> like to
>>> disallow that or do not allow any offending traffic to reach outside
>>> network or any other guest running on the same machine.
>>> Guests can be VirtualBox, Bhyve or anything else.
>> Assuming you mean virtualization like bhyve and not virtualization 
>> like
>> jails, ad that you can use private addresses for the VMs, you can 
>> still
>> run each virtual machine inside a VNET jail, then using something like
>> epair you can connect the jails to a central 'router' jail that runs
>> ipfw and enforces what each jail sends out.
>>
>> If you want actual routable addresses on each jail (so that the jail
>> sees the outside workd directly it's a bit more difficult because you
>> can't act as a 'router' in the middle. Maybe others have more ideas.
>>
>> If you need to bridge a bunch of virtual machines so that they have
>> addressable interfaces. you can run bhyve or VB inside a vnet jail as
>> above but each jail would need to do its own enforcing by having 
>> its own
>> ipfw, listenning on the virtual interface that is attaching to the
>> bridge. I have not done htis but I'm sure it can be done. you'll 
>> need to
>> experiment.
>> just remember that each VNET jail can have it's own firewall and it's
>> own interfaces. real or virtual.
>
> Thank you for your answer.
> I am mainly interested in to virtualization like Bhyve or VirtualBox 
> with routable addresses in guest instances. So it is limited to some 
> solutions with virtual network switch with IP+MAC ACL capability. 
> But I didn't find any example of this setup on the internet.
>
> Are VNET jails of production quality? And can be Bhyve / VirtualBox 
> guest run inside of them? (each guest in separate vnet jail)
>
> Miroslav Lachman
>

there are some incomplete features, but Bhyve and vbox are likley to 
use just a
  small subset of functionality of the stack so I'm guessing it would 
be stable.

More information about the freebsd-net mailing list