So, if I wanted to turn a Windows KVM into a utterly safe web browser machine in which I revert the copy on write filesystem on each boot, what is the best way to also isolate it from the rest of the local network?
I've got all my KVM machines setup with bridge networking right now. Can I use some magic firewall rules to prevent one specific virtual machine from having any access to my local network? (While still allowing the spice display and mouse to operate, of course :-).
Configure it on a separate subnet maybe and use NAT on the KVM host to allow it access to the outside world?
On 12/29/2010 05:44 AM, Tom Horsley wrote:
So, if I wanted to turn a Windows KVM into a utterly safe web browser machine in which I revert the copy on write filesystem on each boot, what is the best way to also isolate it from the rest of the local network?
I've got all my KVM machines setup with bridge networking right now. Can I use some magic firewall rules to prevent one specific virtual machine from having any access to my local network? (While still allowing the spice display and mouse to operate, of course :-).
You should be able to do it through the usage of virsh netfilter-* commands, please check the man page for them.
btw: spice uses the host networking and not the guest networks so it won't have any effect on it.
Configure it on a separate subnet maybe and use NAT on the KVM host to allow it access to the outside world?
That's always easier
virt mailing list virt@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/virt
-
Dor Laor -
Tom Horsley