[ previous ] [ next ] [ threads ]
 
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Why should one not use Monowall for production systems on a VM Platform
 Date:  Tue, 9 Sep 2008 17:47:26 -0400
On Tue, Sep 9, 2008 at 12:48 PM, Jeff Rhys-Jones
<jeff at acc dash international dot co dot uk> wrote:
> I have taken a good look at Monowall and think it's a great bit of coding.
> Monowall has a very small OS footprint, and is therefore idea to run in
> virtual environments.
>
> Initially I was very excited about the VMWare version of Monowall, as I can
> see a clear need for people to use Firewall VM appliances. It's a hot topic
> right now.
>
> However, on reading the manual - it could not be spelt out clearer, the
> message is this: DO NOT USE IT FOR PRODUCTION!
>
> What I would really like to know is - why?
>

That's a little strongly worded (I wrote it), I'll have to expand that
section with further clarification. The primary reason for the strong
wording is so people don't do stupid things, like use VMware
Workstation or Player on their PC as a production firewall. That
leaves you open to configuration mistakes leaving your PC wide open on
the Internet.

With ESX it's much less of a concern, though that depends on the
environment. In high security environments I would never recommend
mixing VMs or networks of differing trust levels on the same server,
whether ESX or any other hypervisor. Given the very good security
track record of ESX, I wouldn't hesitate to run even your perimeter
Internet firewall in ESX in many environments.

-Chris