Iptables, et al best practices for protecting KVM host sharing "hostdev" (ixgbe-vf) interfaces with guests
Marc
Marc at f1-outsourcing.eu
Sun Oct 31 20:00:50 UTC 2021
>
> My question is this: what's best practices for making sure that a switch
> VLAN misconfiguration issue, a cabling to the wrong port, etc. doesn't
> compromise the KVM server itself?
Not sure about best practice. But what about using a macvtap. That by default does not allow host communication and only allows the guests connected to the same master to communicate with each other.
> How do I allow my KVM server to *not* be on "external", but some of its
> guests to be, without compromising security?
Do not configure the interface with an ip address on the host, and make sure you do not have daemons binding to 0.0.0.0 on the host.
More information about the libvirt-users
mailing list