Gary,
Is the top of picture (OpenBSD/pf (VirtualBox)) facing the external
network? If yes, that is where your public IP will reside. You will
have to create multiple VNICs on first etherstub which are assigned
to reverse proxy and apache.
If we show VNICs as well, it will be easier to understand. I
suggest read this blog (replace the zones with virtualbox)
http://blogs.sun.com/sunay/entry/network_in_a_box_creating
So In Fig 1b (Crossbow Virtual network), assume that the vRouter
is you external facing virtual box where you run openBSD/pf
(and this guy will have to route packets to internal network
and to reverse proxy and Apache as well). The client shown
will external and you will replace vnic9 with the pNIC with
external IP assigned to the virtual box running the first
pf. Etherstub1 shown in Fib1b is your 1st etherstub which VNICs
assigned to Apache etc (which can be in a zone or a virtual box).
I suggest using zones where possible if performance is a
criterion.
I think if you read the blog fully, it should be easy. I have
done pretty complicated things with zones and Xen but not with
virtual box (although others on this list have played with it).
Once you get this to work, we would appreciate you posting
the topology. We can start a user topology section on Crossbow
pages to help others as well.
Let us knwo if you are still stuck.
Cheers,
Sunay
Gary Bainbridge wrote:> Would it be possible to setup a firewall using OpenBSD and pf in VirtualBox
and have a reverse proxy server behind that and another OpenBSD and pf in
VirtualBox behind the reverse proxy?
>
> ---------------
> OpenBSD/pf (VirtualBox)
> ---------------
> |
> ---------------
> Reverse proxy (nginx)
> ---------------
> |
> ---------------
> OpenBSD/pf (VirutalBox)
> ---------------
> | \
> ----------- ---------------
> etherstub 2nd etherstub
> ----------- ----------------
> | |
> ---------------- ----------------
> web server (Apache) OpenBSD/pf (VirutalBox)
> ---------------- ------------------
> |
> -------------------
> Internal network (zones)
> --------------------
>
> Would this design work using Crossbow and VirtualBox on OpenSolaris
2008.11?
>
> If this wouldn''t work then would it be possible or better to use
ipf in place of OpenBSD/pf?
>
> Would the global zone have no interface and the external ISP IP goes into
the external interface on the OpenBSD/pf external interface?
>
> Would I also gain anything by using Trusted Extensions or would that add to
the complexity?
--
Sunay Tripathi
Distinguished Engineer
Solaris Core Operating System
Sun MicroSystems Inc.
Solaris Networking: http://www.opensolaris.org/os/community/networking
Project Crossbow: http://www.opensolaris.org/os/project/crossbow