hi,
You're aware that PCI passthrough is insecure? Someone who gets
root
access to a guest can reprogram the NICs (trivially) to read or write
any area of memory in any guest or the dom0. This might be pertinent
information if you were expecting your firewall to provide isolation.
nope. 1st i'm hearing of it ... not that i haven't looked :-/ sigh.
hrm.
so, although this is "just" a RH/Fedora forum, but xen focussed, let
me then ask ...
i *want* a distro with
-- X86_64/SMP (AMD multicore) support
-- Xen 3.2.x builds & runs both in Dom0 & DomU
-- capable of deploying a FW in DomU that does not suffer
NIC-performance degradation -- or (apparently) security holes
-- stable core that'll keep us 'supported' (e.g., *not* the Fedaora
scenario i'm now facing; feature-incomplete until, perhaps, F10+, @
which point F8 -- which we're "stuck" on is unsupported)
-- app repos (rpm, srpm, other ...) that are safe/available/reliable
for full releases (one example, Bind 9.4.2, which seems to be tough to
find for RHEL/Centos 5.1)
*can* i (yet) "have it all"? iiuc, "no" ....