[ previous ] [ next ] [ threads ]
 
 From:  Paulo Meireles <subscribe dash m0n0wall at exxpert dot com>
 To:  Roland Giesler <roland at thegreentree dot za dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] m0n0wall&virtualization
 Date:  Tue, 24 Jul 2007 11:50:22 +0100 
Hi,

I've been successfully running such a configuration for quite a long 
time. I have used both VMware Server (which is free) and VMware ESX 
(which is not - and is actually overkill for what you intend to do).

I never used Xen, but the basics should be the same. With VMware Server 
I used Windows 2000 as the host (as it's "thinner" than XP) but you may 
use your favorite Linux distro - or BSD if you're using Xen. I recommend 
you to use a stripped-down installation, with only the bare minimum 
needed to run the virtualization layer (either VMware or Xen). Then, 
create virtual machines where you will install everything you need.

Keeping applications off the host and running everything in VMs makes 
hardware upgrades (and recovery) a piece of cake: just copy the virtual 
machines to a new host and power them up.

As for networking, the trick is not to configure IP (or any other 
protocol) on the host's NICs exposed to the Internet. This way, it's 
almost as if the NIC does not exist and, while you can sometime attack 
what you can't see, you can't attack what is not there!

You may add an extra layer of security by not having IP on the LAN 
interface either, and have an isolated NIC configured specifically for 
managing the host; you may the connect to it from a laptop with a 
crossover cable or something alike.

Hope it helps a bit, and good luck!

Paulo

-------- Mensagem Original --------
Assunto: [m0n0wall] m0n0wall&virtualization
De: Roland Giesler <roland at thegreentree dot za dot net>
Para: m0n0wall at lists dot m0n0 dot ch
Data: 23-07-2007 18:09
> Hi all,
>
> I would like to run m0n0wall and a spam filter (inter alia) on the same
> hardware box, but have been wondering what the best way would be to do 
> this.
>
> Of course, the m0n0wall WAN port must be the only one accessible from the
> outside/internet.
>
> One way I was thinking: Xen on OpenBSD or FreeBSD and then to run 
> m0n0wall
> in one VM and a Spamfilter (ESVA) in another.  But that would mean 
> that the
> Xen host would be "before" my firewall (as seen from the internet), 
> and thus
> be vulnerable.
>
> If I run m0n0wall as Host, could I start a Xen VM inside it?  Then I 
> could
> run ESVA in a "safe" machine and simply push all mail through it before
> delivering to the mail server.
>
> I could run the VM on the mailserver but the particular config at the 
> client
> site (which sort of requires that we stick to the installed Windows 2000
> server), does not allow a VM to be run in a stable manner - it actually
> makes Windows 2000 unstable.  Space is also at a premium.  But more than
> that, it's an idea I've been toying with for some time.  If it can be 
> made
> to work, then I can build an appliance which I can just pop in at a 
> client
> site with all the stuff on it that I need
> (firewall/spamfilter/mailserver/cache/proxy).  So,as you can see, I'd 
> like
> to run a few VM's on one box, with the firewall being the host OS.  If I
> can't, then how close can I get to that?
>
> comments, ideas and suggestions most welcome.
>
> thanks
>