note: I'm not sure quite where this belongs, but here will do for now. As prompted by the thread here -> http://forums.overclockers.com.au/showthread.php?p=9344513#post9344513 I'd like to enter into discussion on the perils of running an operational smoothwall (or any other purposed distro) in a VM, purely as an intellectual exercise. The situation I'll propose is this: one VM host, running a Windows based OS (but virtually anything applies I guess). Two network cards, one connected to the WAN and the other connected to the LAN. Now, connecting a Windows (or virtually any) box directly & unsheilded to the Internet is asking for trouble, so I propose that for the WAN-NIC, all protocols other than the "VMware Bridge Protocol" be unbound from the NIC. This is the essential bit - as with minimal protocols bound, there's almost nothing to attack except for the VMware bridge protocol. I am not sure about the security implications of running this alone, but I suspect they're trivial to non-existant given the increasing popularity of VM'ing at the enterprise level. Certainly there may be exploits targeting this (already? future?), but are they any more likely to develop than an exploit attacking something else on the machine? The LAN-NIC is left at defaults such as may be used by someone at home (IPv4, Client for MS networks, F&P Sharing, QoS Packet Scheduler) What I'm trying to get at is: with such modifications in place to the HOST os, is running your smoothie as a VM (instead of on bare metal) really such a significant security issue? (and very preferably how!). Does VM network still function if its the only bound protocol on a NIC? Assuming such a setup, can you pull on a black hat and suggest how such a system might be successfully attacked? Is it possible to tell that a machine is VM or metal from the outside? Is it possible to break out of the VM sandbox and attack other VMs or host OS'es through the VM or do you have to resort to using network protocols as if the systems were hardware distinct? Is the VM host any more likely to be targeted than another machine inside the network?