March 2006 Archives

Virutal Transparent Packet filtering firewall on a GSX server (3.2.1) / vmware server

March 19, 2006 8:11 PM | | Comments (0)

In the process of working on a project for work, we had to setup a virtual transparent firewall. Basically, what we did was take the honeywall roo CD and modify it for our project - since its opensource, this was no problem. There were various other articles on this topic like THIS ONE which is pretty good but given I am doing it with a Fedora Core 4 base install (Honeywall roo cdrom)rather than a BSD. I will be using the honeywall image rather than building my own but it should not be any different given the bridging and firewalling it will do. I thought I would write it up here - mainly for my notes and if someone else is having trouble setting this up.

Assumptions:
1. Host box is running Gentoo (2005.1), kernel 2.6.15-gentoo-r1
2. I have three interfaces in my gentoo box
3. Will be using vmnet8 (NAT), vmnet2 (host-only), and vmnet7 (NAT - for command and control)

Steps:
1. Install GSX server 3.2.1 or vmware server (free beta version) - http://www.vmware.com
2. By default, you will want you to setup vmnet1 (bridged), vmnet2 (host-only), and vmnet8 (NAT) - you can go ahead and set those up.

vmnet0 - bridge (unused) - default
vmnet1 - host-only (unused) - default
vmnet2 - host-only (our bridge)
vmnet7 - (NAT) 192.168.0.0/24
vmnet8 - (NAT) 10.0.0.0/24 - default

We will setup vmnet0, vmnet1, vmnet7, vmnet8 through /usr/bin/vmware-config.pl and vmnet2 through the following command:
/usr/bin/vmnet-netifup -d /var/run/vmnet-netifup-vmnet2.pid /dev/vmnet2 vmnet2

The honeywall has the following configuration:
1. Network adapter - NAT (vmnet 8)
2. Network adapter - /dev/vmnet2
3. netowork adapter = /dev/vmnet7

The virtual machines are on /dev/vmnet2 and in the 10.0.0.0/24 subnet - they are grabbing ip addresses from the GSX server themselves. The gsx server contains the following settings:
1. vmnet1 - 192.158.166.1
2. vmnet2 - nothing (bridge)
3. vmnet7 - 192.168.0.1
4. vmnet8 - 10.0.0.1

IP addresses can vary depending on virtual configuration. All traffic should now flow from your VMs on 10.0.0.1 to the outside world and must go through our honeywall.

Bridge settings on the honeywall:
#!/bin/sh
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig eth0 up
ifconfig eth1 up
ifconfig br0 up
echo 1 > /proc/sys/net/ipv4/ip_forward (don't forget to set your ip forwarding)

Below is a picture of my current virutal honeywall setup:

virtualhoneywall.jpg

Wordpress maybe?

March 5, 2006 8:14 PM | | Comments (0)

Might be switching over to wordpress, found a good howto on setting it up on a gentoo box:

http://wojciechbednarski.com/articles/installing-wordpress-locally-on-gentoo-linux

Just installed it and look fairly straight forward - will have to play with it more.

« February 2006 | Main Index | Archives | April 2006 »

Search

About this Archive

This page is an archive of entries from March 2006 listed from newest to oldest.

February 2006 is the previous archive.

April 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.