* [Qemu-devel] suitability for extension encapsulation in firewall
@ 2007-07-06 9:38 Eric S. Johansson
2007-07-06 14:27 ` Paul Brook
0 siblings, 1 reply; 3+ messages in thread
From: Eric S. Johansson @ 2007-07-06 9:38 UTC (permalink / raw)
To: qemu-devel
I'm looking for a way to encapsulate applications on a firewall (IPCop). My
line of reasoning is an encapsulated extension environment would help protect
the integrity of the firewall and give users greater latitude in creating
extension applications. What I would like to do is install qemu as a "virtual
server" residing on the DMZ/Orange network with its interface fully controlled
by the Orange network firewall rules. I've run qemu and am slightly familiar
with the tun/tap setup but I don't know its relationship to IP tables. Does is
sit outside the rules like the raw device or inside?
on a related topic, is it possible to trigger a shutdown command (or even a
reboot) and detect when the virtual machine has stopped running or had its
hardware get the reboot signal so I can shut things down cleanly?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Qemu-devel] suitability for extension encapsulation in firewall
2007-07-06 9:38 [Qemu-devel] suitability for extension encapsulation in firewall Eric S. Johansson
@ 2007-07-06 14:27 ` Paul Brook
2007-07-06 17:36 ` [Qemu-devel] " Eric S. Johansson
0 siblings, 1 reply; 3+ messages in thread
From: Paul Brook @ 2007-07-06 14:27 UTC (permalink / raw)
To: qemu-devel; +Cc: Eric S. Johansson
On Friday 06 July 2007, Eric S. Johansson wrote:
> I'm looking for a way to encapsulate applications on a firewall (IPCop).
> My line of reasoning is an encapsulated extension environment would help
> protect the integrity of the firewall and give users greater latitude in
> creating extension applications. What I would like to do is install qemu
> as a "virtual server" residing on the DMZ/Orange network with its interface
> fully controlled by the Orange network firewall rules. I've run qemu and
> am slightly familiar with the tun/tap setup but I don't know its
> relationship to IP tables. Does is sit outside the rules like the raw
> device or inside?
If you use usermode networking it's just like any other application running on
that machine.
If you use tap networking (recommended for this situation) it's just like any
other network interface.
Paul
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Qemu-devel] Re: suitability for extension encapsulation in firewall
2007-07-06 14:27 ` Paul Brook
@ 2007-07-06 17:36 ` Eric S. Johansson
0 siblings, 0 replies; 3+ messages in thread
From: Eric S. Johansson @ 2007-07-06 17:36 UTC (permalink / raw)
To: qemu-devel
Paul Brook wrote:
>
> If you use tap networking (recommended for this situation) it's just like any
> other network interface.
what I was looking for was the ability to place the qemu tap interface on the
same subnet as the DMZ network and outside of the firewall rules so that it
behaves exactly the same as a machine in the DMZ. that is, it is
protected/blocked by the orange network rules and can access any other machine
on the DMZ without any hindrance. I need to think about this a bit. Both in
terms of how to set up a simulated firewall environment and how I would
configure the tap interface. I can just see myself running qemu inside of qemu
and 3 virtual networks.
---eric
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-07-06 17:37 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-07-06 9:38 [Qemu-devel] suitability for extension encapsulation in firewall Eric S. Johansson
2007-07-06 14:27 ` Paul Brook
2007-07-06 17:36 ` [Qemu-devel] " Eric S. Johansson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).