I want to run malware in kvm and I want to have one guest acting as a network router. The isolated bridge in virsh allows guest-to-guest and guest-to-host communication. For safety I also want to disable guest-to-host communications on the bridge network.
Here's the definition of isolated bridge I'm currently using:
<network>
<name>proxy-bridge</name>
<uuid>a29b0c37-4d7b-444b-a555-b9859a2a1c93</uuid>
<bridge name="virbr1" stp="on" delay="0"/>
<mac address="52:54:00:61:96:66"/>
<domain name="proxy-bridge"/>
</network>
Host doesn't have IPv4 address on bridge interface but IPv6 address is automatically allocated. I could completely disable IPv6 on host as I don't require it. Still, it would be safer if all layer 2 communication was disabled. Is it possible?
