RE: Iptables, et al best practices for protecting KVM host sharing "hostdev" (ixgbe-vf) interfaces with guests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> 
> My question is this: what's best practices for making sure that a switch
> VLAN misconfiguration issue, a cabling to the wrong port, etc. doesn't
> compromise the KVM server itself?

Not sure about best practice. But what about using a macvtap. That by default does not allow host communication and only allows the guests connected to the same master to communicate with each other.

> How do I allow my KVM server to *not* be on "external", but some of its
> guests to be, without compromising security?

Do not configure the interface with an ip address on the host, and make sure you do not have daemons binding to 0.0.0.0 on the host.


 




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux