D
D
digdream2012-07-23 15:25:40
System administration
digdream, 2012-07-23 15:25:40

Setting up a firewall to manage a subnet?

A server was rented at the Hezner DC, a subnet for virtual machines and an additional address for routing this subnet were obtained.
The vmWare ESXi 5 hypervisor was installed on the host.
If I understood everything correctly, then in order to be able to use addresses from a dedicated subnet, you need to install and configure a virtual machine that will act as a gateway. the pfsense distribution kit was chosen as this machine (perhaps it is worth reconsidering the choice? find something easier / faster?)
3 network adapters were installed on this virtual machine:
1. the adapter has an additional address for routing
2. 192.168.1.1 for organizing an internal local network
3. adapter with 1 address from the subnet - it will act as a gateway

Next, I created an experimental VM, assigned it the second subnet address, and the gateway, respectively, the first. did not work on the fly, the firewall turned out to be the culprit. After turning it off, everything seemed to be fine.

So now the question is:
1. as far as I understand, this virtual machine will now face all VMs in the subordinate subnet and all traffic will pass through it?
2. Whether it is necessary to create any rules that routing worked? or, for example, if we have a VM with Apache on one of the IPs, is it enough to make a rule in the firewall that allows packets to port 80 of this VM? and, accordingly, to enable pings to allow ICMP
3. how many resources should be given to this gateway machine?
4. With an active, properly configured gateway firewall, can you not care about filtering on end VMs so as not to raise the load?
5. well, a little off topic - which distribution kit to prefer in order to deploy a dozen unloaded sites on it (ordinary php + mysql + apache)?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
@
@ntkt, 2012-07-24
_

1. Look at the screen with Wirth. adapters in the ESXi settings, and just draw a picture for yourself.
2. Are you asking what specifically to write in the pf configs?
3. There is no universal answer, an orchestra of various virtual machines on ESXi can perform any miracles under load. All the will of the Great Random.
4. Filtering at what level? Transport, application, depending on what we are protecting ourselves from?
You can stupidly kill extra ports from certain interfaces / subnets (which is zero overhead and will only save you from bots knocking on specific ports and trying to hack services hanging on them), or you can install a powerful integrated IDS / IPS system with games and harlots.
5. We take the most common, convenient and up-to-date supported-updated.
Debian/Ubuntu, CentOS, for example.

D
Daniel Newman, 2012-07-24
@danielnewman

Here the translation is started - habrahabr.ru/post/147864/ Not the ultimate truth, but not written by an idiot either. As far as I understand, the question is not trivial, because. how many people - so many opinions, but there is not much material on virtualization. Those. its up to that grandmother, but less than boobs.
With pleasure I will watch the answers of the grated admins.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question