How to secure a bridged interface

E

ernie

Renowned Member
Sep 17, 2009
17
0
66
I'm thinking about migrating from a hardware firewall/router to pfSense a software solution. So, I setup a test environment using KVM in proxmox to benchmark things and once I'm happy with pfSense I'll purchase dedicated hardware to put in front of the other hardware. So now my problem is that I'm not really sure how secure my temporary setup will be and was wondering if anyone has had a similar setup and could share there iptables rules or other tips to secure the proxmox host.

Here's the configuration on the proxmox host:
WAN -> eth1 -> vmbr1 (no ip) -> pfSense WAN (KVM with public IPs)
pfSense LAN (private net default gateway) -> vmbr0 (private net) -> eth0 -> Internal network

So as you can see I'll have one proxmox host connected directly to the internet via eth1 which is a bridge vmbr1, with no IP addresses assigned to that bridge, only to the vm attached to that bridge. The KVM pfSense VM will then be setup as the default gateway for a few internal test machines to benchmark and see how good pfSense works.

Questions:
1) Are there ways to gain access directly to proxmox host via eth1.

2) Are there iptables rules I can setup on the proxmox host to prevent those threats while still allowing traffic to be bridged to the KVM firewall/router.

Any help/feedback would be greatly appreciated.

Thanks,
Ernie
 
ernie said:
I'm thinking about migrating from a hardware firewall/router to pfSense a software solution. So, I setup a test environment using KVM in proxmox to benchmark things and once I'm happy with pfSense I'll purchase dedicated hardware to put in front of the other hardware. So now my problem is that I'm not really sure how secure my temporary setup will be and was wondering if anyone has had a similar setup and could share there iptables rules or other tips to secure the proxmox host.

Here's the configuration on the proxmox host:
WAN -> eth1 -> vmbr1 (no ip) -> pfSense WAN (KVM with public IPs)
pfSense LAN (private net default gateway) -> vmbr0 (private net) -> eth0 -> Internal network

So as you can see I'll have one proxmox host connected directly to the internet via eth1 which is a bridge vmbr1, with no IP addresses assigned to that bridge, only to the vm attached to that bridge. The KVM pfSense VM will then be setup as the default gateway for a few internal test machines to benchmark and see how good pfSense works.

Questions:
1) Are there ways to gain access directly to proxmox host via eth1.

2) Are there iptables rules I can setup on the proxmox host to prevent those threats while still allowing traffic to be bridged to the KVM firewall/router.

Any help/feedback would be greatly appreciated.

Thanks,
Ernie
Click to expand...
Hi Ernie,
such a solution is not recommendet. For security reason you should allways use dedicated firewalls (this is the theory). But i use a similiar scenario also for second level firewalls and it's works quite well (this is the practize).
Under normal conditions your host is safe, because you don't have an ip on the nic, and also no services which are reachable over this connection. But if the ip-stack has a bug, perhaps there are attacks possible (code executement due buffer overflow, ddos, ...).

For my understanding makes iptables-rules without ip on the nic no sense... or rather don't improve the security ( but perhaps somebody knows better).

Udo
 
udo said:
For my understanding makes iptables-rules without ip on the nic no sense... or rather don't improve the security ( but perhaps somebody knows better).

Udo
Click to expand...

That's what I figured... but it's always good to get more feedback.

You wouldn't know of any good cheap hardware firewall/routers that can handle 20 WAN IPs with various NAT rules? My current ISP provided router supports the IPs, but isn't really configurable when it comes to NAT rules. And they keep updating the firmware and wiping out my rules. I was looking at replacing the firmware with DD-WRT or something similar but then I found pfSense and it has a lot of good features.
 
You should check mikrotik routerboards; I use the RB 450G (I can get them for about 80 Euro where I live, case and power supply included) with great success. Firewall, vpn servers, these little things can handle a lot of traffic, fast.

I have even some cases where I use two to manage virtual IPs (Public Internet, and internal, "default gateway"), to load balance and to failover if one link fails or the router power supply decides to die. Great stuff, loads of examples on the site.
 
bsilva said:
You should check mikrotik routerboards; I use the RB 450G (I can get them for about 80 Euro where I live, case and power supply included) with great success. Firewall, vpn servers, these little things can handle a lot of traffic, fast...
Click to expand...
Hi,
nice hardware - what kind of firewall work on this host? is it possible to use firewall-builder for the rules and put the (iptable) script on the firewall? Or must i use they own gui/programm?

Since now i use fwbuilder http://www.fwbuilder.org/ to manage the rule-sets of the different firewalls and commit them to the boxes (a live-cd distro called devil-linux). Devil-linux need i386 hardware and i assume that the routerboard don't run with an atom-cpu.

Udo
 
Hi,

I use mines with the supplied routerOS. I think it is based on linux, but you never get to be root on it: it comes with a shell that simplifies the configuration, and even has a "safe mode" where it will roll back the latest changes if you loose connection to it.

There is also a windows GUI (winbox) and a management system ("The Dude"), but I haven't used them much, so I can't compare them with fwbuilder. Actually, I can't even compare anything to fwbuilder: I know that those kind of utilities exist but I am a "dinousaur" and can't get out of the habbit of managing iptables manually :D

Check out the mikrotik downloads page, there are some nice utilities for Windows there.

You can also download routerOS for x86, and give it a try on a VM, just to get a feel of it.

Anyway, a quick google found out someone who managed to get debian on routerboards... But I would recommend you give a chance to routerOS.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back