On 07/01/2011, at 4:39 AM, Daniel Huhardeaux wrote: > Le 06/01/2011 18:16, Justin Clift a écrit : > > [...] > >> Hmmm, in your libvirtd.conf file, what does the line say where you have "listen_addr"? >> >> I'm thinking it should be something like: >> >> listen_addr = "0.0.0.0" >> >> Which I *think* tells it to bind to everything it can. >> >> ? > > Yes but that's not what I want. Let's say we have 3 servers each of them with VMs and all connected through OpenVPN > > server 1: VMs Net 10.0.1.1 (IP of server virbr0) VMs from .1.11 to ... > server 2: VMs Net 10.0.2.1 (IP of server virbr0) VMs from .2.11 to ... > server 3: VMs Net 10.0.3.1 (IP of server virbr0) VMs from .3.11 to ... > > Having OpenVPN running, each VM -or other host running OpenVPN- can reach each other. So what I want, for security reason, is that listen_addr of each server is *only* 10.0.[1|2|3].1 which is transparent and independant of other network settings (public addresses, localnet, other VPN, ...). > > Hope I clarify my needs :-) Heh, yeah. I think Daniel Berrange's approach of using firewall rules to control the access is probably the most rugged... My only other thought, and probably pretty fragile unless you put good scripting around it, is to still do the restarting thing, but change the listen_addr entry before the restart. Though, I think it'll be an interesting (bad) situation if you want to change or restart one of the virtual networks when libvirtd is attached to it. Can see problems with that. ;) -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list