Can we run a qemu instance as a dedicated home network firewall?

Can we use a virtual qemu linux machine as a firewall for
a real home network?

I have a small network at home, with a few desktops and a DMZ and
a linux firewall machine.

Now that virtualization is working for me, via qemu, I would like to get rid
of all the old equipment that I use for little tasks.

Ie I have
1) old 486 machine F used as dedicated arno-firetables firewall.
2) old 486 machine D used as dedicated web server in DMZ.
3) plus a few workstations on a LAN call them A, B C.

Internet -> firewall machine F -> local LAN ->machines A, B, C
-> DMZ ->web server on D

1. Here F does NAT for machines A, B, C on 192.168.100.* .
2. While F gets an outside internet IP via dhcp from my cable provider.
3. F has 2 physical NIC cards.

My question is:
Can I replace F (and D) by virtual machines running on one of my desktop
machines A?

Thus internet traffic for A would not go out of the NIC directly,
it would rather go through
an internal virtual network to the virtual guest Firewall machine (called F)
, where F would get its full Internet IP from my cable modem provider,
and it F, would then do NAT for the machine A.

Thus there would might be 2 physical NICs on A, ?neither of which would
actually be used by A. Both NICs would be bridged to F, to two internal
vde_switches running on A one connected to the
cable modem via NIC1 and the second NIC2 connected
to a physical hub outside the workstation A so that
other workstation machines B and C could also use the virtual machine F
as their firewall.

A itself would connect via the local LAN network to F (its guest), by
a virtual NIC (or real NIC, or socket).

So, is it possible,
ie: does it make sense,

ie to run a virtual machine to actually
function as a firewall for the HOST itself? And to do NAT for the host.

Clearly this would be with VDE.

Thus we would have

Machine A (the Host machine) running linux
(with 2 NIC cards which would later be bridged to the
vde switchs.)

Machine A would be a full distribution install with a full workstation
capability.

Now Machine A would not be configured to connect directly to the internet
because we would want it to be firewalled by a virtual machine.

We set up a vde_switch on A.

Then we would bring up a qemu instance F (for firewall).

...

Thank you,

Mitchell Laks


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

Relevant Pages