I've been successfully running such a configuration for quite a long
time. I have used both VMware Server (which is free) and VMware ESX
(which is not - and is actually overkill for what you intend to do).
I never used Xen, but the basics should be the same. With VMware Server
I used Windows 2000 as the host (as it's "thinner" than XP) but you may
use your favorite Linux distro - or BSD if you're using Xen. I recommend
you to use a stripped-down installation, with only the bare minimum
needed to run the virtualization layer (either VMware or Xen). Then,
create virtual machines where you will install everything you need.
Keeping applications off the host and running everything in VMs makes
hardware upgrades (and recovery) a piece of cake: just copy the virtual
machines to a new host and power them up.
As for networking, the trick is not to configure IP (or any other
protocol) on the host's NICs exposed to the Internet. This way, it's
almost as if the NIC does not exist and, while you can sometime attack
what you can't see, you can't attack what is not there!
You may add an extra layer of security by not having IP on the LAN
interface either, and have an isolated NIC configured specifically for
managing the host; you may the connect to it from a laptop with a
crossover cable or something alike.
Hope it helps a bit, and good luck!
-------- Mensagem Original --------
Assunto: [m0n0wall] m0n0wall&virtualization
De: Roland Giesler <roland at thegreentree dot za dot net>
Para: m0n0wall at lists dot m0n0 dot ch
Data: 23-07-2007 18:09
> Hi all,
> I would like to run m0n0wall and a spam filter (inter alia) on the same
> hardware box, but have been wondering what the best way would be to do
> Of course, the m0n0wall WAN port must be the only one accessible from the
> One way I was thinking: Xen on OpenBSD or FreeBSD and then to run
> in one VM and a Spamfilter (ESVA) in another. But that would mean
> that the
> Xen host would be "before" my firewall (as seen from the internet),
> and thus
> be vulnerable.
> If I run m0n0wall as Host, could I start a Xen VM inside it? Then I
> run ESVA in a "safe" machine and simply push all mail through it before
> delivering to the mail server.
> I could run the VM on the mailserver but the particular config at the
> site (which sort of requires that we stick to the installed Windows 2000
> server), does not allow a VM to be run in a stable manner - it actually
> makes Windows 2000 unstable. Space is also at a premium. But more than
> that, it's an idea I've been toying with for some time. If it can be
> to work, then I can build an appliance which I can just pop in at a
> site with all the stuff on it that I need
> (firewall/spamfilter/mailserver/cache/proxy). So,as you can see, I'd
> to run a few VM's on one box, with the firewall being the host OS. If I
> can't, then how close can I get to that?
> comments, ideas and suggestions most welcome.