tap devices ... restricting IP?
Robert Watson
rwatson at FreeBSD.org
Fri Oct 24 13:22:19 UTC 2008
On Wed, 22 Oct 2008, Marc G. Fournier wrote:
> Is it possible to assign an IP to a tap device, used by something like QEMU,
> such that someone *inside* the QEMU environment can't modify? Or, if they
> do modify their own IP, the network inside of QEMU will break, as the
> internal IP doesn't match what is attached to tap?
>
> I'm not seeing anything to that effect in the tap manual, but the part
> talking about 'control' seems to indicate that you can do this ...
Use a firewall to prevent receiving packets over the interface from any IP
other than the one you are willing to accept. Think of a tap interface as
simply being a normal ethernet interface hung off a network to the VM and
treat it that way in the rules -- for example, dropping IP from addresses
other than the designated one when received from the tap interface.
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the freebsd-net
mailing list