Proxmox host or VM as gateway/firewall?

R

r4pt0x

Member
Jan 5, 2012
53
0
6
I had a little discussion with a friend about setting up a firewall/gateway with visualization (no dedicated hardware for firewall!)

As I like it modular and variable, I'd set up a VM (KVM, no contianer) as firewall/gateway (shorewall), exclusively using the hardware interface connected to the outside world. proxmox itself and all VMs would only use the (virtual) interface defined as DMZ, the LAN is connected to other hardware einterfaces, exclusiveley connected to the firewall-VM.
This way the firewall can be easily replaced or completely removed, by only changing the device connections on the proxmox host.

His opinion was, the only secure way to do it, is by setting up the proxmox host itself as firewall/gateway as this is the "entry point" of all communication to the system, regardless of the direct mapping from physical interfaces to virtual interfaces at the firewall-VM...

I think this would be even less secure, because a firewall breach would imply a breach into the proxmox host. It would also make the disaster recovery more complicated, as i first have to reconstruct this host setup before restoring the VMs whereas when using a firewall-VM I only have to configure the network devices and by restoring the firewall-VM I have my DMZ/local configuration back running as it was.

What's your opinions on this?
Anyone tried both and can report on pros/cons, difficulties with configuration etc?
 
I would never expose the hypervisor to the internet.

I have a pfsense running on ESXi.
First NIC is dedicated to the VM for WAN
Second NIC is shared to all other VM for LAN
Third NIC is a dedicated link to the storage (openfiler) where the vm's are stored

If you really want it secure have look at http://www.ipcop.org/1.4.0/en/install/html/decide-configuration.html
but then you would need a fourth and/or a fifth NIC inside depending on type of storage (local or NAS/SAN)

And you are right: If the Hypervisor is compromised, it is also possible that the VM's are compromised

greets

CC
 
The "red/green/orange/blue" layout of IPCop is roughly similar to the 3-way layout for shorewall.
My idea is, to get this layout virtualized:

Code: 
proxmox host:

       WAN               LAN
____________________________________
|     |eth0|            |eth1|      |
|        |                 |        |
|        |                 |        |
|     |vmbr0|              |        |
|     -------              |        |
|    | FW/GW | vmbr1 |------        |
|     -------                       |
|     |vmbr2|                       |
|        |                          |
|  ______|________________________  |
|  | DMZ                         |  |
|  |  VM  |  VM2  |  CT  |  CT2  |  |
|  -------------------------------  |
|___________________________________|

The proxmox services (ssh, apache, vnc) are all bound to vmbr1 and/or vmbr2, so they are also secured by the firewall. _ALL_ incoming and outgoing traffic has to pass the FW/GW-VM.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back