Installation pfsense
on KVM and using it as a firewall for your linux desktop.
Pfsense on kvm is a
firwall server for my linuxmintxfce17.1 fun workstation.
The simple flow is
as follows.
Internet->kvm
virtual pfsense firewall->host.
For those who want
to protect linux box for a long time, maybe it is a good option.
1) Installation
Above link is very
enough and non-burdensome for who do not use KVM often.
2) I used to use
virtualbox. So, I converted virtualbox vdi to kvm image(.qow2).
*)For example,
#qemu-img convert -f
vdi -O qcow2 u1.vdi u1.qcow2
# othere example is
#vboxmanage clonehd
vm.vdi vm.img
#and qemu-img
convert -f raw -O qco2 vmname.vdi vnmane.qcow2..
#
Should correct raw
to qcow2 on u1.xml to avoid No boot some errors.
# virsh -c
qemu:///session dumpxml u1 > ~/u1.xml
# vi ~/u1.xm
Change raw to qcow2.
<driver
name='qemu' type='qcow2'/>
virt # virsh -c
qemu:///session define ~/p2.xml
Domain pf2 defined
from /root/p2.xml
No more errors.
3) Pfsense:
https://pfsense.org(This is
freebsd based).
*This free firewall
distro is very easy to install snort ID detection. This is why I love
this distro.
* This is very easy
to install.
4) Network.
VEPA source mode.
Hot device eth0:macvtap.This interface is for outer WAN network.
5)
#)virsh
net-autostart default
# virsh net-edit
default
<network>
<name>default</name>
<uuid>5c16f4ee-3b5b-43c8-a2fc-82f99466fcfb</uuid>
<forward
mode='nat'>
<nat>
<port
start='1024' end='65535'/>
</nat>
</forward>
<bridge
name='virbr1' stp='on' delay='0'/>
<mac
address='50:34:30:fe:8f:69'/>
<ip
address='192.168.142.1' netmask='255.255.255.0'>
<dhcp>
<range
start='192.168.142.2' end='192.168.142.254'/>
</dhcp>
</ip>
</network>
6)
#route add default
gw 192.168.142.2 virbr1
Kernel IP routing
table
Destination
Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0
192.168.142.2 0.0.0.0 UG 0 0 0 virbr1
192.168.142.0
0.0.0.0 255.255.255.0 U 0 0 0 virbr1
To-be-filled-by-O-E-M
isolinux #
Pfsense web
interface
* To sum up, all
network inflow is through via KVM based pfsense firewall.
In security point,
this setting is little bit more secure than just nothing.
If your are more
concerned on security, you can use iptables on host bare metal
workstation or server.