I am in the process of building a new machine to replace several older servers. I am considering running several virtual servers on one box, all linux for host and virtual machines using VirtualBox. Is it possible/advisable to configure shorewall on the host to act as a firewall for the virtual machines, each having one or more static public IP address? Any pointers, suggestions and/or configuration information will be greatly appreciated. --Richard ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On 01/17/2012 04:39 PM, Richard B. Pyne wrote:> I am in the process of building a new machine to replace several older > servers. I am considering running several virtual servers on one box, > all linux for host and virtual machines using VirtualBox. > > Is it possible/advisable to configure shorewall on the host to act as a > firewall for the virtual machines, each having one or more static public IP address?I don''t know -- I''m only able to run Virtualbox under Windows 7 and OS X. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
It''s not a bad idea if it works with your virtualization technology. There are several guides in the documentation section of the Shorewall site dealing with various networking technologies. You should identify the one that''s closest to how your virtualization technology works (with regard to networking) and configure it. You may end up with simply a bridge firewall. I recently did the same thing, and am of a mind that for my purposes, an individual firewall on each vm is preferable. On 1/17/2012 16:57, Tom Eastep wrote:> On 01/17/2012 04:39 PM, Richard B. Pyne wrote: >> I am in the process of building a new machine to replace several older >> servers. I am considering running several virtual servers on one box, >> all linux for host and virtual machines using VirtualBox. >> >> Is it possible/advisable to configure shorewall on the host to act as a >> firewall for the virtual machines, each having one or more static public IP address? > I don''t know -- I''m only able to run Virtualbox under Windows 7 and OS X. > > -Tom > > > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
Christ Schlacta wrote:>You may end up with simply a bridge firewall. I recently did the >same thing, and am of a mind that for my purposes, an individual >firewall on each vm is preferable.That''s the solution I came up with as well. On my hosts I run a very basic set of iptables rules on the outside interfaces (just to protect the host from the outside), and then run Shorewall on each VM. The biggest problem as I see it is the constantly changing network config. Each time you start of stop a VM, network ports on the bridge appear or disappear (at least with Xen). -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
Hi, I have a physical server with Proxmox installed. Proxmox has both OpenVZ and KVM virtual servers and Shorewall is installed on the same server. Shorewall protects both Proxmox and each virtual server and handle ip traffic with arp_proxy. Physical server has one public ip address and each virtual server has also a public ip. Before when I only had one public I was using DNAT with a private address space for virtual servers. Arp_proxy works great! Especially it works well with SIP servers that work better with public IP addresses.>From a security perspective its better with a dedicated firewall butsometimes you don''t have that opportunity. /Måns -----Original Message----- From: Simon Hobson [mailto:linux@thehobsons.co.uk] Sent: den 18 januari 2012 08:52 To: Shorewall Users Subject: Re: [Shorewall-users] virtual serveres Christ Schlacta wrote:>You may end up with simply a bridge firewall. I recently did the same >thing, and am of a mind that for my purposes, an individual firewall on >each vm is preferable.That''s the solution I came up with as well. On my hosts I run a very basic set of iptables rules on the outside interfaces (just to protect the host from the outside), and then run Shorewall on each VM. The biggest problem as I see it is the constantly changing network config. Each time you start of stop a VM, network ports on the bridge appear or disappear (at least with Xen). -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ---------------------------------------------------------------------------- -- Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
> Is it possible/advisable to configure shorewall on the host to act as a > firewall for the virtual machines, each having one or more static public IP address?May not apply to VBox but what I did on ESXi is create a private vlan with my hosting servers and a public vlan that faces the internet. The only machine actually connected to the public vlan runs Shorewall and all traffic between the vlans runs through that. - Bob Coffman ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d