Virtual PFSense | Security Question | Prevent Host from initializing PCIE Network Card during boot / when passed through vm is not running

[Anotheruser]

Quick question for an upcoming project.
I am planning to run a pfsense vm on a proxmox host with several pcie nics passed through (the host is only going to have two vms, pfsense and a dns server).
Yes, i already looked through all the pros / cons of running it baremetal vs virtual and decided mostly for management reasons but also due to additional isolation for security reasons to go with virtual. Additionally i am planing to use a Z590 board with mostly intel nics probably two xxv710-da2 and one or two four port 2.5 or 1G nics for low speed wan.

What is the best way to isolate the pcie nics from the host in therms of security?

How to protect the host when it has the WAN facing pcie nics while the firewall vm is not running during boot?

Since there is no ip assigned to the network ports of the passed through nic in the /etc/network/interfaces the proxmox interface / ssh will obviously not be available on it, but is this enough? Technically unfiltered data packets from the internet will still arrive at the host, but just be ignored, right?

Would it increase security to disable / blacklist the drivers of the nics on the host similar to how it is done with single gpu passthough?

Is there a way to fully disable pcie devices until the vm starts up? (cut power to the pcie slots)

Thanks for any suggestions

 

[leesteken]

How to protect the host when it has the WAN facing pcie nics while the firewall vm is not running during boot?

Early bind the device to vfio-pci and it cannot be used by the real driver (add a softdep to make sure vfio-pci loads first).

Would it increase security to disable / blacklist the drivers of the nics on the host similar to how it is done with single gpu passthough?

No need when using early binding to vfio-pci. Blacklist would have no effect, except also disabling other devices that use the same driver.

Is there a way to fully disable pcie devices until the vm starts up? (cut power to the pcie slots)

Probably but i would only further investigate that when there is a known (but maybe still theoretical) attack against (your) network device (when the actual driver is not loaded).

EDIT: Or maybe your VM becomes more vulnerable because of the PCIe passthrough (because you are breaking the hardware abstraction of virtualization) and you might be better of with normal VirtIO driver and keeping your Proxmox and pfSense up to date...

 

[Anotheruser]

EDIT: Or maybe your VM becomes more vulnerable because of the PCIe passthrough (because you are breaking the hardware abstraction of virtualization) and you might be better of with normal VirtIO driver and keeping your Proxmox and pfSense up to date...

Thanks for the detailed responds!

The thing is i already thought about using virtio network in the vm and thereby fully abstracting the hardware from the vm, but from my tests so far and what i read from others this is A going to add even more complexity and things to go wrong and B limiting performance by quite a lot, specially above 10G and in scenarios with a lot of pps.
Also another one of my main reasons to with a solution like this instead of sth custom / purpose built is the ability to switch firewall / routing software easily as needed and i am already thinking about maybe running some hybrid solution with pfsense and tnsr in the long run, and if i do that the slowdown of virtio nics will be even more severe.