Many, many thanks to all who responded! I now plan to run my OpenBSD firewall *stand-alone* on directly on a Soekris box for sure (no VM) and isolate all else on a separate box running the ESXi that fully supports the ESXi HCL.
Many thanks to all the developers and especially Theo for creating IMHO the world's greatest OS!! --- On Thu, 5/21/09, Kevin Wilcox <ke...@tux.appstate.edu> wrote: > From: Kevin Wilcox <ke...@tux.appstate.edu> > Subject: Re: OpenBSD ESXi VMware image on Soekris Net5501 > To: obiozorok...@yahoo.com > Cc: misc@openbsd.org > Date: Thursday, May 21, 2009, 11:39 AM > 2009/5/21 <obiozorok...@yahoo.com>: > > > I'll have to re-think this but I > > honestly thought (I guess I'm wrong) that if I my > first OpenBSD VM image > > running on ESXi as my strong firewall I would be ok. B > Basically its just a > > virtualization of my physical environment but all on > one box with 3 VM > images. > > So my idea was to have second OpenBSD image (not the > firewall OpenBSD > image) > > running with Samba as my Domain Controller and File > server, and Email > server > > and then the third Windows VM running just the custom > app. B I figured that > as > > long as all the 'Net traffic hit my first OpenBSD VM > and was properly > filtered > > and controlled by pf, spam greylisting, brute force > checked, etc I would be > > ok? B No? > > There are some strategic issues with virtualising a > firewall. > > What should be the simplest, most rock solid member of your > network is > now on the same hardware as <foo> virtual machines. > If one of the > application servers is compromised then it's *possible* > that the > VMWare server itself could be compromised, rendering the > firewall VM > under the control of The Bad Guys. If one of the VMs screws > the pooch > and takes down the server then you've not only lost the > ability to > communicate with those servers, you've lost the ability to > communicate > with your firewall. If one of the application VMs isn't > configured > with proper resource limits then performance on the > firewall will drop > under periods of heavy traffic. For that matter, you've > already > introduced overhead on throughput of the firewall by > forcing traffic > to be received by the VM OS before it's received by > OpenBSD. If the VM > server is compromised then the things that can be done to > traffic > without ever actually disrupting the firewall are almost > certainly fun > fun fun (in all fairness, I haven't tried mucking with > traffic on > ESX/i, this is based entirely in speculation). > > I'm sure there are obvious things that I'm missing but > these are the > ones that blast the loudest through my brain when I think > about > virtualising a firewall. As I stated before, I have done it > and there > are a few that I maintain - and they do their job well - > but that > doesn't mean I condone the practice in general and it > surely doesn't > suggest that I think it's something that should be done on > a whim or > with a light attitude. It is dangerous and unsupported and > you need to > understand there is significant risk in doing so. > > kmw > > -- > To take from one, because it is thought that his own > industry and that > of his fathers has acquired too much, in order to spare to > others, > who, or whose fathers have not exercised equal industry and > skill, is > to violate arbitrarily the first principle of association, > bthe > guarantee to every one of a free exercise of his industry, > & the > fruits acquired by it.'
