Thursday, March 26, 2015

Installation pfsense on KVM and using it as a firewall for your linux desktop.


Installation pfsense on KVM and using it as a firewall for your linux desktop.

Pfsense on kvm is a firwall server for my linuxmintxfce17.1 fun workstation.

The simple flow is as follows.
Internet->kvm virtual pfsense firewall->host.


For those who want to protect linux box for a long time, maybe it is a good option.


1) Installation
Above link is very enough and non-burdensome for who do not use KVM often.

2) I used to use virtualbox. So, I converted virtualbox vdi to kvm image(.qow2).

*)For example,
#qemu-img convert -f vdi -O qcow2 u1.vdi u1.qcow2
# othere example is
#vboxmanage clonehd vm.vdi vm.img
#and qemu-img convert -f raw -O qco2 vmname.vdi vnmane.qcow2..
#

Should correct raw to qcow2 on u1.xml to avoid No boot some errors.
# virsh -c qemu:///session dumpxml u1 > ~/u1.xml
# vi ~/u1.xm
Change raw to qcow2.
<driver name='qemu' type='qcow2'/>

virt # virsh -c qemu:///session define ~/p2.xml
Domain pf2 defined from /root/p2.xml

No more errors.

3) Pfsense: https://pfsense.org(This is freebsd based).
*This free firewall distro is very easy to install snort ID detection. This is why I love this distro.
* This is very easy to install.

4) Network.
VEPA source mode. Hot device eth0:macvtap.This interface is for outer WAN network.


5)
#)virsh net-autostart default
# virsh net-edit default
<network>
<name>default</name>
<uuid>5c16f4ee-3b5b-43c8-a2fc-82f99466fcfb</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr1' stp='on' delay='0'/>
<mac address='50:34:30:fe:8f:69'/>
<ip address='192.168.142.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.142.2' end='192.168.142.254'/>
</dhcp>
</ip>
</network>
6)


#route add default gw 192.168.142.2 virbr1

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.142.2 0.0.0.0 UG 0 0 0 virbr1
192.168.142.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr1
To-be-filled-by-O-E-M isolinux #


Pfsense web interface




* To sum up, all network inflow is through via KVM based pfsense firewall.
In security point, this setting is little bit more secure than just nothing.

If your are more concerned on security, you can use iptables on host bare metal workstation or server.





Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)