I've given up on trying to set up a Private Virtual Network in virt-manager
(KVM), as it does not work. (CentOS7.4 all 'round)
So I've now assigned a hardware ethernet port to the DMZ VM and one to the
router VM, just like all the other VMs. The DMZ and router have their own IP
class C's (different from the LAN). I'm uneasy with this, as if an interface
could be put in promiscuous...
But what else am I going to do? Using a bridge isn't very secure as it depends
on a software driver, and if a flaw is found/exists in that? It is hard to get
bolt-sure isolation from some VMs, with communication in others.
With hardware interfaces and SNAT MASQUERADE defined for the LAN IP and DMZ IP,
the LAN can get out to the WAN -- but not the DMZ machine. Nothing in the
logs, as usual.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
