<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 01/26/2015 09:03 AM, Alex Carver
wrote:<br>
</div>
<blockquote cite="mid:54C64926.2040007@acarver.net" type="cite">
<pre wrap="">This only works for Win 7 and up. For the Win XP machine it won't work
because it's not permitted on the network directly. I would have to add
another firewall appliance with NAT* in front of that machine. The XP
machine is just not allowed a direct connection. Since a VM has NAT in
it, technically using a VM is an allowed configuration and it eliminates
the need for an appliance.</pre>
</blockquote>
You're overthinking it! ;-)<br>
<br>
The VM gives you the security boundary you need to establish a
firewall, *outside* the VM. Imagine:<br>
<ol>
<li>Network server hosts images, runs Linux.</li>
<li>PXE boot, downloads Linux kernel+rootfs, performs rsync to
local drive.</li>
<li>eth0 (or pXXpY, or whatever) is already setup. Create vbr0
for the virtual machine(s), give it IP 172.30.20.1/24 (or
another unused IP subnetwork in the RFC1918 space), and just
attach the VMs to the vbr0, which is isolated until you "wire it
up".</li>
<li>Optionally wire up vbr0 either as a masq'd network or as a
routed private subnetwork. Whichever is up to you and your
requirements. Drop in packet filter rules as necessary to
allow/deny traffic. Those rules go on the VMH, not the VM
itself.</li>
</ol>
<p>This gives you a somewhat lightweight method of running multiple
desktop systems securely, too (e.g., only available on VPN). SPICE
protocol (part of the reason of QXL's existence) allows a great
deal of efficiency improvement in remote desktop display: even MS
Windows can be tunnelled across the network at near-native feeling
speeds.<br>
</p>
<p> — Mike<br>
</p>
</body>
</html>