> Am 25.01.2022 um 15:30 schrieb James Szinger <jszinger@xxxxxxxxx>: > > On Tue, 25 Jan 2022 01:48:24 +0100 > Peter Boy <pboy@xxxxxxxxxxxxx> wrote: > >> ... >> >> Konfiguration is much easier and it causes less system load. The only >> disadvantage is that the VMs cannot communicate directly with the >> host. But it is usually better to use an internal, protected network >> for this. > > This, for me, is a fatal limitation. The web server needs to access > the database server and so on. At home I have just one network and > every thing is internal. In this case libvirt virtual network is for you. It’s already there, you just have to use it. That network create an internal, protected (from public) network. The typical use case is a public service like web server that will access a service you want protect from public access, typically a database. You won’t make the database accessible from the public. If you web server should be able to access the database over the public interface, you must open the firewall port and everyone from outside can access the database as well and try to attack it. Therefore a common structure is to install service, esp. a database natively on the host and isolate the host from internet as far as possible, usually you just allow ssh or vpn. Public service are installed in a VM with as publicly accessible as needed. > At work we have an internal network and all > internet-facing services are on an isolated network with an industrial > grade firewall and application filter severely restricting access from > the internet. All the hosts are already on an “internal” network of > some variety, so setting up a another one seems redundant. Yes, the text I linked does not set up another network but makes the internal network accessible for the VMs > I also feel that configuring the host for bridge mode is much more > convenient than installing a separate physical network. There is no additional separate physical network involved besides those your host is already connected to (1 network at your home, 2 networks at work). Please, read the linked text again and give me a hint, where the wording is misleading so we can improve that. Thanks Peter _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
