[ previous ] [ next ] [ threads ]
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  "m0n0 list" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Monowall on Xen
 Date:  Tue, 27 Sep 2005 13:30:17 -0500
I believe the general arguments against running a firewall on a
virtualized environment is not about performance, but one of security of
the host OS (the host being the system that is running Xen, VMWare, MS
Virtual PC, bochs, etc.). If the firewall is compromised, then the host
could be compromised. The difficulty with **completely** isolating
network cards for the use of the virtualization system (Xen or what
ever) may prove to take more efforts that it is worth.

As far as I know v1.2 will be 4.11 based. The was a posting that there
will be discussion on platform OS for post-1.2 releases. Someone correct
me if I am wrong...

James W. McKeand

p.s. Please reply to list so others can share in the conversation.

-----Original Message-----
From: Tomas Florian [mailto:tomas at florien dot ca] 
Sent: Tuesday, 27 September 2005 1:12 PM
To: James W. McKeand
Subject: RE: [m0n0wall] Monowall on Xen

Ya I could agree that running Monowall on VMWare would be iffy.  But Xen
seems to be much more robust 
- smaller footprint
- higher i/o performance

As for getting Soekris - I do have a couple of those for some of my
and it's great, but not everyone has ~$300 to spend on a router.   But a
of people have spare CPU cycles and memory on Linux servers.  Also even
clients who have Soekris are concerned "what will we do if the Soekris
dies?"  ... virtualization will answer all of these concerns in a very
elegant way.  

Anyways - looks like no one has tried it yet so I think I'll try my hand
some simple mono development and create a Xen version for the monowall
image.  I think I'll have to work with one of the older betas because as
as I know Xen doesn't work with FreeBSD 4.11.  Are there plans to
reintroduce FreeBSD 5.3 in Monowall 1.2?


-----Original Message-----
From: James W. McKeand [mailto:james at mckeand dot biz] 
Sent: Tuesday, September 27, 2005 6:15 AM
To: m0n0 list
Subject: RE: [m0n0wall] Monowall on Xen

Tomas Florian wrote:
> This would be very useful for me because at all the sites I have
> monowall I'm using old P1 or P2 clunkers for monowall and beside it I
> have a P4 with 1G of ram that is hardly doing anything so I was
> thinking that I could chuck the monowall box and virtualize.  And if
> the P4 dies .. then instead of bringing another box in I just
> virtualize monowall on another virtual hardware in minutes - instead
> of fishing around for a suitable P2 machine. And if I need redundancy
> in terms of seconds there is always the possibility of DRBD failover
> with heartbeat. 

Running a firewall on a VM is only recommended for testing and
development. Search the list archive for vmware to see what others have
done Chris Buechler has some images on his site for vmware
(ChrisBuechler.com), but I'm sure he does not recommend virtualization
for a production system.

You would be better off investing in the embedded platforms like Soekris
or WRAP that have low power consumption and no moving parts. Moving
parts are #1 source of pc failures, assumeing that the power is clean.

James W. McKeand

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch