RE: Iptables, et al best practices for protecting KVM host sharing "hostdev" (ixgbe-vf) interfaces with guests
My question is this: what's best practices for making sure that a switch
VLAN misconfiguration issue, a cabling to the wrong port, etc. doesn't
compromise the KVM server itself?
Not sure about best practice. But what about using a macvtap. That by default does not
allow host communication and only allows the guests connected to the same master to
communicate with each other.
How do I allow my KVM server to *not* be on "external", but
some of its
guests to be, without compromising security?
Do not configure the interface with an ip address on the host, and make sure you do not
have daemons binding to 0.0.0.0 on the host.