On 11/23/2010 02:33 PM, Jim Razmus wrote:
* carlopmart<carlopm...@gmail.com> [101123 08:22]:
On 11/23/2010 01:48 PM, carlopmart wrote:
On 11/23/2010 01:42 PM, Bret Lambert wrote:
Because you're still relying on your host's network stack, you aren't
actually firewalling it.
Uhmm .. I am not sure about this. For example: you can configure several virtual
bridges under a ESXi host and then attach them to a virtual firewall like
OpenBSD.
If you configure some pf rules, you are doing firewalling ... In this case you
have
all network stack except layer 1, correct??
And one more thing: with latest releases of hypervisors like ESXi
and KVM (I don't know about xen), you can attach physical hardware
to a specific guest, like network interfaces. Then, you have all
network stack asigned to a virtual machine. Where are the
disadvantages in scenarios like this??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
You're still relying on software to the right thing and protect against
abuse. "attach physical hardware to a specific guest" is done via
software. Do you trust that software?
jim@
Uhmm ... good point Jim. But, but one question: can you compromise this virtual
firewall using a specific exploit, procedure, etc and don't do the same with a
physical firewall ??
--
CL Martinez
carlopmart {at} gmail {d0t} com
