[fedora-virt] isolate VM from local network?

[Tom Horsley]

So, if I wanted to turn a Windows KVM into a utterly safe
web browser machine in which I revert the copy on write
filesystem on each boot, what is the best way to also isolate
it from the rest of the local network?

I've got all my KVM machines setup with bridge networking
right now. Can I use some magic firewall rules to prevent
one specific virtual machine from having any access to
my local network? (While still allowing the spice display
and mouse to operate, of course :-).

Configure it on a separate subnet maybe and use NAT on the
KVM host to allow it access to the outside world?