* carlopmart <carlopm...@gmail.com> [101123 08:22]:
> On 11/23/2010 01:48 PM, carlopmart wrote:
> >On 11/23/2010 01:42 PM, Bret Lambert wrote:
> >>Because you're still relying on your host's network stack, you aren't
> >>actually firewalling it.
> >>
> >
> >Uhmm .. I am not sure about this. For example: you can configure several
> >virtual
> >bridges under a ESXi host and then attach them to a virtual firewall like
> >OpenBSD.
> >If you configure some pf rules, you are doing firewalling ... In this case
> >you have
> >all network stack except layer 1, correct??
>
> And one more thing: with latest releases of hypervisors like ESXi
> and KVM (I don't know about xen), you can attach physical hardware
> to a specific guest, like network interfaces. Then, you have all
> network stack asigned to a virtual machine. Where are the
> disadvantages in scenarios like this??
>
> Thanks.
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
You're still relying on software to the right thing and protect against
abuse. "attach physical hardware to a specific guest" is done via
software. Do you trust that software?
jim@
