Ubuntu KVM - Bridge - Isolate Host from NIC

I have a Ubuntu Server with 4 physical NICs. 2 of them, i want to "hide" from the Host, so the host itself may not access traffic on those 2 nics, just the VM where i pass them into (passthrough).

Does someone know a good tutorial or has a quick description, what the best method is to do this?

That way my VM can act as Firewall and i have no risk exposing the host in any way.

The key word is PCI passthrough. Using this method, one can bind PCI devices directly to the VM, and the host cannot see the devices at all.

This is an example of PCI passthrough definition in virt-manager.

<hostdev mode="subsystem" type="pci" managed="yes">
  <source>
    <address domain="0x0000" bus="0x08" slot="0x00" function="0x0"/>
  </source>
  <address type="pci" domain="0x0000" bus="0x05" slot="0x00" function="0x0"/>
</hostdev>

To add a device to the VM in virt-manager, take the followint steps:

1. Make sure the VM is shut down.
2. Open the VM details tab, and click "Add Hardware" on the left bottom.
3. Select `PCI Host Device`.
4. Select your device from the list.

After this, the device is disconnected from the host when VM starts and it is attached to the VM.