Problem with bridging interfaces for firewall software with VMware Server on Ubuntu Server.

[InlineFive]

Hello everyone,

First at the most basic I have a computer running Ubuntu Server 7.04 with three NICs.
Installed on that computer is VMware Server 1.0.3.
Installed as a VM is Astaro Security Linux 7.006.

The VMnets are configured as follows:

vmnet0 bridged to eth0
vmnet1 is host-only
vmnet2 bridged to eth1
vmnet8 is NAT

The system interface configuration is as such:

"# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The LAN network interface
auto eth0
iface eth0 inet static
address 172.31.16.5
netmask 255.255.255.0
network 172.31.16.0
broadcast 172.31.16.255
gateway 172.31.16.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 172.31.16.1

# The WAN network interface
auto eth1
iface eth1 inet dhcp"

This is where my problem comes into play. The Astaro VM cannot acquire an IP address on eth1 via vmnet2 until interface eth1 is assigned an IP address. But I only want the Astaro VMnet2 NIC to have an IP address. The system should not have an IP address. All traffic should be transparent to the system go directly to the "virtual NIC" on the Astaro VM.

I read somewhere about being able to disable all services for an adapter except for the VMware Bridging Protocol but I'm not sure where this is done.

If I set the IP address statically for eth1 to 0.0.0.0 for address, netmask, network and broadcast the Astaro VM can receive and IP. But I honestly don't know if this could be considered "secure".

Any ideas? Hopefully I'm not the only one who has done this with their network firewall.

Cheers,
I5

 

[cleverhandle]

Originally posted by: InlineFive
This is where my problem comes into play. The Astaro VM cannot acquire an IP address on eth1 via vmnet2 until interface eth1 is assigned an IP address... If I set the IP address statically for eth1 to 0.0.0.0 for address, netmask, network and broadcast the Astaro VM can receive and IP. But I honestly don't know if this could be considered "secure".

Why not? The adapter won't be receiving any packets on it's own behalf with a 0.0.0.0 address, and packets are going to physically pass through it one way or another. Also, are you positive you need the IP address on eth1? What if you set eth1's method to "manual" (read the man page on interfaces if you haven't already) and then bring it up manually via ifconfig without ever assigning an IP? I was planning on doing something similar to this (for a different purpose, though) with VMware, so I'm curious whether there's really no way to do it without an address. But in any event, I don't see the problem with 0.0.0.0 if that's what it takes.

However, while I see what you're trying to accomplish here (getting your firewall on the same physical box as other things), I would be uncomfortable doing this. If there's one thing on the network that I want truly isolated and simplified as much as possible, it's the Internet-facing firewall. I'm doing a bunch of server consolidation and reconfiguration with VMware right now myself, but the firewall still stands alone. I would also have some questions about whether a VM'd firewall can effectively do wire-speed packet filtering when it's sharing a virtual interface.

 

[drag]

Setting the address to 0.0.0.0 is perfectly acceptable. It's just how things are done in Linux-land.


I don't know about any proporietary bridging application in Vmware... personally I am perfectly happy with the speed and convience provided by Qemu combined with Kqemu or KVM acceleration with Qemu-launcher GUI application. But to each their own.

So when I have to do bridging I just do it the Linux-way with bridging utilities.

with the bridge-utils...
brctl addbr br0
ifconfig eth0 0.0.0.0 up
ifconfig eth1 0.0.0.0 up
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 up

More-or-less. It's been a while. Works the same way with virtual devices.

Now you can give br0 a ip address or not. If you do not then you can't access the machine remotely since it's only acting on layer-2, this may be desirable or not.

They have a example of a layer-2 bridge with a layer-3 firewall added onto it.
http://www.debian.org/doc/manu...o/ap-bridge-fw.en.html

If Ubuntu is setup the same as Debian you can look into /usr/share/doc/ifupdown/examples/ and get a example of a ifup/ifdown script to create a bridge and a sample /etc/network/interfaces file for configuring it.

 

[Brazen]

Originally posted by: cleverhandle

However, while I see what you're trying to accomplish here (getting your firewall on the same physical box as other things), I would be uncomfortable doing this. If there's one thing on the network that I want truly isolated and simplified as much as possible, it's the Internet-facing firewall. I'm doing a bunch of server consolidation and reconfiguration with VMware right now myself, but the firewall still stands alone. I would also have some questions about whether a VM'd firewall can effectively do wire-speed packet filtering when it's sharing a virtual interface.

We have a 10mb up/down connection here and do run our router in a vm. We use vlans with VMWare ESX Server to accomplish this. We did extensive throughput testing and showed no slowdown whatsoever, and our vmware servers are very busy (about 15 vms on 3 physical servers). I haven't really found any measure of bandwidth usage (I could probably look on the switch), but we have 2 1-gig connections going into each box and combined with link aggregation and bonding.

Security-wise, I don't see how it would be any more of a risk. And the benefit of being able to restore a snapshot with a click in the event it has a problem or migrate it to a different physical machine in a moment if there are hardware problems outweighs any perceived security risk, IMO. So just FYI it is doable and has worked just dandy for us (though this was just done in the last 2 months).

 

[InlineFive]

Thanks for the great information! Got it working.

While at first I had qualms about placing my firewall on the same box after reading the information and examples that drag posted I think it'll be okay.

However, I do agree with you about the possible speed issue cleverhandle. Whether or not it will be able to maintain wire-speed remains to be seen. Sadly VMware Server isn't quite as fast or provide as much "QoS" control as ESX server does.

Part of the reason I'm doing this is because my firewall box was fried in a brownout yesterday and I would really rather not spend the cash to replace it right now.

I5

 

[drag]

That's funny.


My favorite firewall software right now is made by the Shoreline Firewall project, aka Shorewall. The main guy with it uses Xen for his own personal use. He was able to consolidate several different devices into a single Linux machine buy using Xen and virtual networking.

He has two examples of his setup;
one for a bridged setup; http://www.shorewall.net/XenMyWay.html
and another for a routed setup; http://www.shorewall.net/XenMyWay-Routed.html


Personally my firewall right now is a old Dell PC I rescued from work before the PC recyclers got it. I stuffed it full of old 3com 100mb nic cards. I have a stripped-down Debian stable install on it. For the firewall I built it using Shorewall. Then I have dnsmasq, which is a handy DNS proxy and DHCP server which provide the basic services for my network. Works wonderfully. For a while I had Ntop installed which provided a VERY nice web interface so I can monitor traffic and connections going in and out of my network.


Pretty good stuff.

 

[cleverhandle]

Perhaps I'm just being too conservative, then. It *is* a fragrant possibility, having a (logically) neatly segmented network all on one box. It's something to think about...

Hmm... currently, my router is three legged - one interface heads out to the Net, one NAT's for client PC's, and one is connected via crossover cable to the VMware box, which is serving several public IP's. How would that crossover segment work if it were all rolled up together? Would you bridge all the virtual interfaces to a physical interface that isn't physically connected to anything? Save a NIC and bridge all of them to one of the interfaces that's being used for something else and just have two different networks running there? Either way seems a little odd.

 

[drag]

Well...


You can setup virtual interfaces and virtual lans. You lay them out logically just as you would a real network.

For the shoreline's guy's bridging example. I don't want to describe all of it, but it makes sense if you look at the image he is using.
http://www.shorewall.net/images/Xen4.png



And yes there is a significant performance penalty for doing all this virtual networking stuff. Your dealing with multiple TCP stacks and multiple routing stuff. But it's not significant for internet-speeds.

 

[Brazen]

If (when?) I do this at home, I plan to do it pretty much the same as I set it up at work. Install the dotq package on my linux box and set up virtual interfaces tied to vlans. Of course you would also need to be able to do vlans on the switch and since I don't want to spend $300 on a Dell PowerConnect, I need to figure out how to do vlans on OpenWRT. That way I don't have a mess of NICs and cables.

It would also be nice if I could figure out how to do link aggregation on OpenWRT.

Then, what I would really like to do is have 2 nics, aggregated, to a seperate switch just for connecting to a pair of iSCSI boxen; and then 2 nics aggregated for network traffic.