On Wed, May 14, 2008 at 9:54 AM, Richard W.M. Jones <rjones@xxxxxxxxxx> wrote: > On Tue, May 13, 2008 at 04:55:04PM -0700, snowcrash+xen@xxxxxxxxx wrote: > > ouch! a large %age of the boxes we deploy have a firewall/DomU & and > > a NAS/Domu, each with dedicated, pass'd-thru NICs. without passthru, > > performance is lousy. > > You're aware that PCI passthrough is insecure? Someone who gets root > access to a guest can reprogram the NICs (trivially) to read or write > any area of memory in any guest or the dom0. This might be pertinent > information if you were expecting your firewall to provide isolation. I figured that a domU having direct hardware access would open security holes; however, the VM I built is for monitoring our Internet connection, and I couldn't figure a way to sniff that traffic without direct hardware access. It's a tightly secured VM with only pinhole access to it in any case. If there's a better way to configure a VM for traffic sniffing, I'd be interested in hearing... Regards, David -- David L. Parsley Manager of Network Services, Bridgewater College "If I have seen further, it is by standing on ye shoulders of giants" - Isaac Newton -- Fedora-xen mailing list Fedora-xen@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-xen
