0

I have a Ubuntu Server with 4 physical NICs. 2 of them, i want to "hide" from the Host, so the host itself may not access traffic on those 2 nics, just the VM where i pass them into (passthrough).

Does someone know a good tutorial or has a quick description, what the best method is to do this?

That way my VM can act as Firewall and i have no risk exposing the host in any way.

user654789384
  • 115
  • 1
  • 4
  • Since the host runs the VMs, hiding the NICs from the host would also hide them from the VMs. Of course, you can create firewall rules *on the host* to pass traffic to and from VMs and block all other traffic. But your plan seems to be running the firewall in the VM. – berndbausch Jan 01 '21 at 08:37
  • Cant i somehow on the host say "ifdown eth2"? – user654789384 Jan 01 '21 at 08:42
  • Sure. But I doubt any traffic will go through eth2 then. Why don't you try? I'd use *ip link set eth2 down*. – berndbausch Jan 01 '21 at 08:43

1 Answers1

2

The key word is PCI passthrough. Using this method, one can bind PCI devices directly to the VM, and the host cannot see the devices at all.

This is an example of PCI passthrough definition in virt-manager.

<hostdev mode="subsystem" type="pci" managed="yes">
  <source>
    <address domain="0x0000" bus="0x08" slot="0x00" function="0x0"/>
  </source>
  <address type="pci" domain="0x0000" bus="0x05" slot="0x00" function="0x0"/>
</hostdev>

To add a device to the VM in virt-manager, take the followint steps:

1. Make sure the VM is shut down.
2. Open the VM details tab, and click "Add Hardware" on the left bottom.
3. Select `PCI Host Device`.
4. Select your device from the list.

After this, the device is disconnected from the host when VM starts and it is attached to the VM.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63