Out of curiosity, would it be pointless/wasteful/silly to put a firewall as a VM guest (regardless of VM host - ESX, Xen, Hyper-V, etc. etc.) and redirect all traffic from other VM guests through the firewall VM guest?
I'm not sure if other people/organizations practice this or not. I know resources might be constrained (CPU, RAM, Disk/Net I/O) pending whatever traffic may pass, but are there any other scenarios or situations where placing a firewall as a guest VM and having the other guest VMs route to it rather is better or comparable to an external box from the host VM?
In terms of performance, I realize that being a guest VM resource usage will affect other guests but aside from that, am I missing anything? Security, best practices, common sense?
Any thoughts, comments or criticisms are welcome.
This is a very common configuration often called "DMZ in a box". Here's a VMware whitepaper that discusses the various levels of collapsing DMZs using virtual infrastructure.
VMware's vSphere builds on some of these ideas and extends them with a product called vShield Zones