From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1I6omv-0004ZH-7S
	for qemu-devel@nongnu.org; Fri, 06 Jul 2007 10:28:01 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1I6omt-0004WD-DV
	for qemu-devel@nongnu.org; Fri, 06 Jul 2007 10:28:00 -0400
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1I6omt-0004Vu-98
	for qemu-devel@nongnu.org; Fri, 06 Jul 2007 10:27:59 -0400
Received: from mail.codesourcery.com ([65.74.133.4])
	by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60)
	(envelope-from <paul@codesourcery.com>) id 1I6oms-0006bC-Lt
	for qemu-devel@nongnu.org; Fri, 06 Jul 2007 10:27:59 -0400
From: Paul Brook <paul@codesourcery.com>
Subject: Re: [Qemu-devel] suitability for extension encapsulation in firewall
Date: Fri, 6 Jul 2007 15:27:47 +0100
References: <f6l2jd$nm0$1@sea.gmane.org>
In-Reply-To: <f6l2jd$nm0$1@sea.gmane.org>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200707061527.48372.paul@codesourcery.com>
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: "Eric S. Johansson" <esj@harvee.org>

On Friday 06 July 2007, Eric S. Johansson wrote:
> I'm looking for a way to encapsulate applications on a firewall (IPCop). 
> My line of reasoning is an encapsulated extension environment would help
> protect the integrity of the firewall and give users greater latitude in
> creating extension applications.  What I would like to do is install qemu
> as a "virtual server" residing on the DMZ/Orange network with its interface
> fully controlled by the Orange network firewall rules.  I've run qemu and
> am slightly familiar with the tun/tap setup but I don't know its
> relationship to IP tables.  Does is sit outside the rules like the raw
> device or inside?

If you use usermode networking it's just like any other application running on 
that machine.

If you use tap networking (recommended for this situation) it's just like any 
other network interface.

Paul