[ale] Virtual machine questions for public use machines
Michael B. Trausch
mike at trausch.us
Mon Jan 26 11:19:55 EST 2015
On 01/26/2015 09:03 AM, Alex Carver wrote:
> This only works for Win 7 and up. For the Win XP machine it won't work
> because it's not permitted on the network directly. I would have to add
> another firewall appliance with NAT* in front of that machine. The XP
> machine is just not allowed a direct connection. Since a VM has NAT in
> it, technically using a VM is an allowed configuration and it eliminates
> the need for an appliance.
You're overthinking it! ;-)
The VM gives you the security boundary you need to establish a firewall,
*outside* the VM. Imagine:
1. Network server hosts images, runs Linux.
2. PXE boot, downloads Linux kernel+rootfs, performs rsync to local drive.
3. eth0 (or pXXpY, or whatever) is already setup. Create vbr0 for the
virtual machine(s), give it IP 172.30.20.1/24 (or another unused IP
subnetwork in the RFC1918 space), and just attach the VMs to the
vbr0, which is isolated until you "wire it up".
4. Optionally wire up vbr0 either as a masq'd network or as a routed
private subnetwork. Whichever is up to you and your requirements.
Drop in packet filter rules as necessary to allow/deny traffic.
Those rules go on the VMH, not the VM itself.
This gives you a somewhat lightweight method of running multiple desktop
systems securely, too (e.g., only available on VPN). SPICE protocol
(part of the reason of QXL's existence) allows a great deal of
efficiency improvement in remote desktop display: even MS Windows can be
tunnelled across the network at near-native feeling speeds.
— Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20150126/7dbf084c/attachment.html>
More information about the Ale
mailing list