To run a Firewall in a VE

E

Elmer

New Member
Nov 5, 2008
5
0
1
Hello,

My purpose is to set a firewall into a VE to protect all the others VE and the host itself. So i would set the public ip + a private ip to a "firewall VE". And the host would have a private ip.

Internet ---> VE Firewall ---> Others VE & Host.

I hope I was clear enough

Do you think it should work ? Do you think it's a good idea ?

Now I wonder 2 questions:
1) Is it true I cannot use (bridged) openvz for my firewall VE, because openvz uses same kernel as host ? I can only use bridged kvm?
2) Is there any risk of bottleneck for my complete box ? Actually I use a bonded 2x100mb/s for the host connexion. Im scared the internal connection of the firewallVE would cap all my traffic ?

Thanks
elmer
 
Elmer said:
Hello,

My purpose is to set a firewall into a VE to protect all the others VE and the host itself. So i would set the public ip + a private ip to a "firewall VE". And the host would have a private ip.

Internet ---> VE Firewall ---> Others VE & Host.

I hope I was clear enough

Do you think it should work ? Do you think it's a good idea ?

Now I wonder 2 questions:
1) Is it true I cannot use (bridged) openvz for my firewall VE, because openvz uses same kernel as host ? I can only use bridged kvm?
2) Is there any risk of bottleneck for my complete box ? Actually I use a bonded 2x100mb/s for the host connexion. Im scared the internal connection of the firewallVE would cap all my traffic ?

Thanks
elmer
Click to expand...

you cannot protect the host if you run a firewall as a guest. so you also need a firewall on the host.
 
Why ?
Since every ip packets would pass through the firewall VE before reaching the OS of the host (proxmox), the host would be protected, wouldnt it ?


Here is the same project: http://www.prevelakis.net/Papers/VirtualFirewall.pdf
And apparently, it's working well.

"So the question is really why a separate firewall on a virtual machine, rather than a firewall as part of the base OS. It is fair to say that keeping the firewall separate simplifies its administration, as its configuration and maintenance is completely separate from that of the rest of the OS. This allows the management of the firewall to be carried out without requiring the cooperation of the workstation user which may be a considerable ad-
vantage in centrally managed environments."
 
Last edited:
Elmer said:
Why ?
Since every ip packets would pass through the firewall VE before reaching the OS of the host (proxmox), the host would be protected, wouldnt it ?
Click to expand...

no. if your read the pdf, there is a sentence

"The host operating
system has minimal access to the network (enough to support bridging between the guest
VM running the Virtual Firewall and the network)"

Proxmox VE has full access to the network, therefore you need a firewall on Proxmox VE.


Elmer said:
Here is the same project: http://www.prevelakis.net/Papers/VirtualFirewall.pdf
And apparently, it's working well.

"So the question is really why a separate firewall on a virtual machine, rather than a firewall as part of the base OS. It is fair to say that keeping the firewall separate simplifies its administration, as its configuration and maintenance is completely separate from that of the rest of the OS. This allows the management of the firewall to be carried out without requiring the cooperation of the workstation user which may be a considerable ad-
vantage in centrally managed environments."
Click to expand...
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom