From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.33) id 1CD79B-0005mq-IV for qemu-devel@nongnu.org; Thu, 30 Sep 2004 16:03:25 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.33) id 1CD79A-0005mQ-V2 for qemu-devel@nongnu.org; Thu, 30 Sep 2004 16:03:25 -0400 Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.33) id 1CD79A-0005m0-Gs for qemu-devel@nongnu.org; Thu, 30 Sep 2004 16:03:24 -0400 Received: from [216.254.0.203] (helo=mail3.speakeasy.net) by monty-python.gnu.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.34) id 1CD72S-0003Or-A8 for qemu-devel@nongnu.org; Thu, 30 Sep 2004 15:56:28 -0400 Received: from dsl081-088-222.lax1.dsl.speakeasy.net (HELO [192.168.111.2]) ([64.81.88.222]) (envelope-sender ) by mail3.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 30 Sep 2004 19:56:26 -0000 Subject: Re: [Qemu-devel] Feature request: option to disable protection in user mode networking From: "John R. Hogerhuis" In-Reply-To: <20040930092541.A692@bbland> References: <1096346193.6787.2.camel@station6.example.com> <20040930092541.A692@bbland> Content-Type: text/plain Message-Id: <1096574231.10584.10.camel@aragorn> Mime-Version: 1.0 Date: Thu, 30 Sep 2004 12:57:11 -0700 Content-Transfer-Encoding: 7bit Reply-To: jhoger@pobox.com, qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org On Thu, 2004-09-30 at 00:25, Lionel Ulmer wrote: > > User mode networking is nifty++. I was wondering, though if it would be > > possible to disable the guest OS protection as a runtime option. > > This is not possible as (AFAIK), QEMU's ethernet adaptator emulation layer > has absolutely no idea on which ports the guest OS is listening to. So to do > what you want, it would entail opening all possible ports on the QEMU side > and 'forward' them to the guest OS. > > This is already possible, but I doubt that you want to DoS your Linux box by > using all possible ports :-) > > Lionel Why would you consider a "forward-all" option to be a DoS? All cheapo NAT boxes have this and gamers who don't know any better often use it to get games to work rather than finding the handful or bank of ports they actually need to open. NAT is kind of analagous to user-mode networking in QEMU, but not quite... I think the real problem here is that to listen on a port, slirp (the host) has to create a listening socket. If you want to effectively have a "forward all" you would either have to have a listen open on every port. Add to that the fact that some ports will already have listens on them, and that as an average user qemu won't have access privileged ports at all. So I think the original poster needs to use TUN/TAP networking if he wants to experiment with the guests's firewall. -- John.