Firewall policies question

D

decibel83

Renowned Member
Oct 15, 2008
210
1
83
Hi.
I have about 10 KVM virtual machines on my production Proxmox environment, and now I want to think about some firewall policies, and I want to discuss with you about that.
One way could be to install Shorewall on my Proxmox installation, or to install a pfSense virtual machine wich uses a bridged interface for the WAN and another bridged interface for the LAN, and have my virtual machines all on that brided interface on the pfSense's LAN network. But I'd need to use 1:1 NAT and I don't want this, because I want the IP addresses to be assigned on the virtual machine.
Another way could be using a separate bridged interface for each virtual machine and use Shorewall on Proxmox or pfSense on another virtual machine to make some packet filtering rules and some accounting.

Do you have any suggestion?

Thank you very much for your help!
Bye.
 
I always suggest to use an external firewall. And use a separate PVE cluster for each security domain.

- Dietmar
 
I cannot use an external firewall at the moment because I only have 1U in the webfarm.
How do you think I can solve my problem?
 
I use in the past for a test PFsense in KVM and work correct! But, if your PVE is connected direct to internet (not recommended) then you need to add a firewall direct in PVE. If you don't know how to manage IP chain you can install Webmin and create the rules from there - it's easy I think!
 
nick said:
I use in the past for a test PFsense in KVM and work correct! But, if your PVE is connected direct to internet (not recommended) then you need to add a firewall direct in PVE. If you don't know how to manage IP chain you can install Webmin and create the rules from there - it's easy I think!
Click to expand...

My PVE is directly on Internet.
I could install Shorewall on PVE and configure rules on it, but doing this I will need to activate a new bridged interface for each VM on PVE if I want to monitor the trafic between Internet and VMs, right?
 
no... why?

decibel83 said:
My PVE is directly on Internet.
I could install Shorewall on PVE and configure rules on it, but doing this I will need to activate a new bridged interface for each VM on PVE if I want to monitor the trafic between Internet and VMs, right?
Click to expand...

Why do you need to install another interface (bridge)?

Diaolin
 
diaolin said:
Why do you need to install another interface (bridge)?
Diaolin
Click to expand...

I'm thinking when I tried a similar configuration with Xen about two years ago that I needed to use a bridge interface for use different policies for each VM, but perhaps I remember wrong..
Let's let me check that old scripts and refresh my mind, mr Diaolin.. :-)
 
I keep my opinion: keep PVE as a virtual env. and create another external firewall. You can transform an old PC (less then P3 on 1000Mhz with 256Mb RAM) into a powerful firewall (try Vyatta or PFSense).

We don't know what is the exact configuration in your location but try to be reasonable ... for a production system it's not recommended to use PVE as firewall too.

If you want to make only for testing ... share the results!
 
Hi, I'd like to hook me up on this thread, because I am currently trying to achieve a similar thing.

Assuming I have eth0 and eht1 on my host, wouldn't it be possible to add eth1 (external/untrusted) to the firewall VM with:
Code: 
vzctl set 101 --netdev_add eth1 --save
and veth (bridged, internal network) and venet (internal VMs) and manage them through the firewall interface?

At least the external stuff should be safe, wouldn't it?
 
You must log in or register to reply here.
Top Bottom