Re: Virtualizing firewalling scenarios in one physical OpenBSD host
Look at www.fwbuilder.org It is good. It even has commercial support if you like. ÓÒÅÄÁ, 4 ÉÀÌÑ 2012 Ç. ÐÏÌØÚÏ×ÁÔÅÌØ C. L. Martinez ÐÉÓÁÌ: Hi all, I wonder if with OpenBSD is possible to create virtualized firewalled implementations of conventional physical topologies and designs such as central and remote DMZs (my question has nothing to do with virtualization platforms like ESXi/vSphere or Xen or KVM), like for example CheckPoint VSX does: http://www.checkpoint.com/products/vpn-1-power-vsx/index.html. The idea is to configure different security scenarios on a single system. Is it possible?? Some example?? Thanks.
Re: Virtualizing firewalling scenarios in one physical OpenBSD host
C. L. Martinez carlopm...@gmail.com wrote: Hi all, I wonder if with OpenBSD is possible to create virtualized firewalled implementations of conventional physical topologies and designs such as central and remote DMZs (my question has nothing to do with virtualization platforms like ESXi/vSphere or Xen or KVM), like for example CheckPoint VSX does: http://www.checkpoint.com/products/vpn-1-power-vsx/index.html. The idea is to configure different security scenarios on a single system. Is it possible?? Some example?? Thanks.
Re: Virtualizing firewalling scenarios in one physical OpenBSD host
* Andres Perera andre...@zoho.com [2012-07-04 17:42]: out of curiosity, how would you make pf(4) only handle rules pertaining to a certain anchor depending on the process that's interfacing with them? i ask because; e.g., pfctl -sr should only show rules for that client, and other pf(4) operations need to be equally restricted. i know that originally you said that the loading of the rules is not up to the client but a periodic batch job, however that does not match CheckPoint VSX geez, don't act so helpless, this is unix after all. write yourself a little wrapper that, depending on the caller/source, enforces a pfctl -a anchorinquestion ... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Virtualizing firewalling scenarios in one physical OpenBSD host
that's not exciting at all. maybe one day i will write a vpf device. benefits include not having to be root to check an agreed upon subset of your states, running proxies and other applications that insert rules completely non-root other details have to be worked out so that sub-pfs can't run the system out of resources, that's the main thing xoxo On Thu, Jul 5, 2012 at 10:46 AM, Henning Brauer lists-open...@bsws.de wrote: * Andres Perera andre...@zoho.com [2012-07-04 17:42]: out of curiosity, how would you make pf(4) only handle rules pertaining to a certain anchor depending on the process that's interfacing with them? i ask because; e.g., pfctl -sr should only show rules for that client, and other pf(4) operations need to be equally restricted. i know that originally you said that the loading of the rules is not up to the client but a periodic batch job, however that does not match CheckPoint VSX geez, don't act so helpless, this is unix after all. write yourself a little wrapper that, depending on the caller/source, enforces a pfctl -a anchorinquestion ... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Virtualizing firewalling scenarios in one physical OpenBSD host
Hi all, I wonder if with OpenBSD is possible to create virtualized firewalled implementations of conventional physical topologies and designs such as central and remote DMZs (my question has nothing to do with virtualization platforms like ESXi/vSphere or Xen or KVM), like for example CheckPoint VSX does: http://www.checkpoint.com/products/vpn-1-power-vsx/index.html. The idea is to configure different security scenarios on a single system. Is it possible?? Some example?? Thanks.
Re: Virtualizing firewalling scenarios in one physical OpenBSD host
On Wed, Jul 04, 2012 at 09:29:04AM +0200, C. L. Martinez wrote: Hi all, I wonder if with OpenBSD is possible to create virtualized firewalled implementations of conventional physical topologies and designs such as central and remote DMZs (my question has nothing to do with virtualization platforms like ESXi/vSphere or Xen or KVM), like for example CheckPoint VSX does: http://www.checkpoint.com/products/vpn-1-power-vsx/index.html. So what is that doing? The link is full of marketing shit words :) jirib
Re: Virtualizing firewalling scenarios in one physical OpenBSD host
On Wed, Jul 4, 2012 at 10:49 AM, Jiri B ji...@devio.us wrote: On Wed, Jul 04, 2012 at 09:29:04AM +0200, C. L. Martinez wrote: Hi all, I wonder if with OpenBSD is possible to create virtualized firewalled implementations of conventional physical topologies and designs such as central and remote DMZs (my question has nothing to do with virtualization platforms like ESXi/vSphere or Xen or KVM), like for example CheckPoint VSX does: http://www.checkpoint.com/products/vpn-1-power-vsx/index.html. So what is that doing? The link is full of marketing shit words :) The great catch here is what VSX does: you can deploy virtual firewalls within the same physical CheckPoint machine.
Re: Virtualizing firewalling scenarios in one physical OpenBSD host
* C. L. Martinez carlopm...@gmail.com [2012-07-04 11:17]: On Wed, Jul 4, 2012 at 10:49 AM, Jiri B ji...@devio.us wrote: On Wed, Jul 04, 2012 at 09:29:04AM +0200, C. L. Martinez wrote: I wonder if with OpenBSD is possible to create virtualized firewalled implementations of conventional physical topologies and designs such as central and remote DMZs (my question has nothing to do with virtualization platforms like ESXi/vSphere or Xen or KVM), like for example CheckPoint VSX does: http://www.checkpoint.com/products/vpn-1-power-vsx/index.html. So what is that doing? The link is full of marketing shit words :) The great catch here is what VSX does: you can deploy virtual firewalls within the same physical CheckPoint machine. marketing garbage. what is this actually? unclear. if this is about overlapping IP space, rdomains. administrative boundaries? anchors and your choice of frontend/management around it. something else? who knows? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Virtualizing firewalling scenarios in one physical OpenBSD host
Hi On Wed, Jul 4, 2012 at 11:13 CEST C. L. Martinez carlopm...@gmail.com wrote: On Wed, Jul 4, 2012 at 10:49 AM, Jiri B ji...@devio.us wrote: On Wed, Jul 04, 2012 at 09:29:04AM +0200, C. L. Martinez wrote: I wonder if with OpenBSD is possible to create virtualized firewalled implementations of conventional physical topologies and designs such as central and remote DMZs (my question has nothing to do with virtualization platforms like ESXi/vSphere or Xen or KVM), like for example CheckPoint VSX does: http://www.checkpoint.com/products/vpn-1-power-vsx/index.html. So what is that doing? The link is full of marketing shit words :) The great catch here is what VSX does: you can deploy virtual firewalls within the same physical CheckPoint machine. And what does this mean? Anyway, read about rdomains in OpenBSD - that's how you'll get your virtual firewall, of course without the fancy (and mostly annoying) GUI like the CheckPoint's one. -- Greetings Rafal Bisingier
Re: Virtualizing firewalling scenarios in one physical OpenBSD host
On Jul 4, 2012, at 11:13 AM, C. L. Martinez wrote: On Wed, Jul 4, 2012 at 10:49 AM, Jiri B ji...@devio.us wrote: On Wed, Jul 04, 2012 at 09:29:04AM +0200, C. L. Martinez wrote: Hi all, I wonder if with OpenBSD is possible to create virtualized firewalled implementations of conventional physical topologies and designs such as central and remote DMZs (my question has nothing to do with virtualization platforms like ESXi/vSphere or Xen or KVM), like for example CheckPoint VSX does: http://www.checkpoint.com/products/vpn-1-power-vsx/index.html. So what is that doing? The link is full of marketing shit words :) The great catch here is what VSX does: you can deploy virtual firewalls within the same physical CheckPoint machine. No, the great catch here is that VSX offers you tools to manage up to 250 of these virtual monsters in a centralized fashion. You can also give control of these firewalls to your customers. You can put lots of OpenBSD guests on a host, but there's no way you will be happy when you are seriously thinking about deploying a VSX. Franco
Re: Virtualizing firewalling scenarios in one physical OpenBSD host
* Franco Fichtner slash...@gmail.com [2012-07-04 11:43]: No, the great catch here is that VSX offers you tools to manage up to 250 of these virtual monsters in a centralized fashion. You can also give control of these firewalls to your customers. You can put lots of OpenBSD guests on a host, but there's no way you will be happy when you are seriously thinking about deploying a VSX. ok, you've been brainwashed by marketing. this is not a question of the firewall at all, but a question of the management interface around it. as said and I repeat it again, use anchors and build sth for specific users to be able to edit specific anchor rulesets. could be as easy as a file per anchor owned by the user in question and a little cronjob that reloads your ruleset including anchors hourly or so. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Virtualizing firewalling scenarios in one physical OpenBSD host
On Wed, Jul 4, 2012 at 11:51 AM, Henning Brauer lists-open...@bsws.de wrote: * Franco Fichtner slash...@gmail.com [2012-07-04 11:43]: No, the great catch here is that VSX offers you tools to manage up to 250 of these virtual monsters in a centralized fashion. You can also give control of these firewalls to your customers. You can put lots of OpenBSD guests on a host, but there's no way you will be happy when you are seriously thinking about deploying a VSX. ok, you've been brainwashed by marketing. this is not a question of the firewall at all, but a question of the management interface around it. as said and I repeat it again, use anchors and build sth for specific users to be able to edit specific anchor rulesets. could be as easy as a file per anchor owned by the user in question and a little cronjob that reloads your ruleset including anchors hourly or so. -- Forget marketing and GUI options provided by CheckPoint in VSX product, that part does not interest me. My question was more focused on the combined use of rtables, rdomains and possibly anchors. P.D: uhmm what dod you mean when you said sth??
Re: Virtualizing firewalling scenarios in one physical OpenBSD host
On Jul 4, 2012, at 11:51 AM, Henning Brauer wrote: * Franco Fichtner slash...@gmail.com [2012-07-04 11:43]: No, the great catch here is that VSX offers you tools to manage up to 250 of these virtual monsters in a centralized fashion. You can also give control of these firewalls to your customers. You can put lots of OpenBSD guests on a host, but there's no way you will be happy when you are seriously thinking about deploying a VSX. ok, you've been brainwashed by marketing. this is not a question of the firewall at all, but a question of the management interface around it. That's what my first sentence said, actually. But you are right, it just depends on the requirements. I was trying to say without the proper tools in place, doing it might not work for a lot of people for reasons of resources, time or scale. Anyway, I feel truly humbled by this mailing list. Franco
Re: Virtualizing firewalling scenarios in one physical OpenBSD host
search about rdomain or VRF in openbsd these can solve your problem but you should do some work by hand (or brain) if you can design good plan you can solve your problem. route -exec, pfctl, rdomain, rtable may help you On Wed, Jul 4, 2012 at 11:59 AM, C. L. Martinez carlopm...@gmail.comwrote: Hi all, I wonder if with OpenBSD is possible to create virtualized firewalled implementations of conventional physical topologies and designs such as central and remote DMZs (my question has nothing to do with virtualization platforms like ESXi/vSphere or Xen or KVM), like for example CheckPoint VSX does: http://www.checkpoint.com/products/vpn-1-power-vsx/index.html. The idea is to configure different security scenarios on a single system. Is it possible?? Some example?? Thanks.
Re: Virtualizing firewalling scenarios in one physical OpenBSD host
Possible and not-recommendable at the same time I'd say. -- I will face my fear. I will permit it to pass over me and through me. And when it has gone past I will turn the inner eye to see its path. Where the fear has gone there will be nothing. Only I will remain.
Re: Virtualizing firewalling scenarios in one physical OpenBSD host
out of curiosity, how would you make pf(4) only handle rules pertaining to a certain anchor depending on the process that's interfacing with them? i ask because; e.g., pfctl -sr should only show rules for that client, and other pf(4) operations need to be equally restricted. i know that originally you said that the loading of the rules is not up to the client but a periodic batch job, however that does not match CheckPoint VSX would you make the pf driver check the uid of the caller itself and spread out this code throughout every routine that fetches and set rules, or where would you place the namespacing? On Wed, Jul 4, 2012 at 5:21 AM, Henning Brauer lists-open...@bsws.de wrote: * Franco Fichtner slash...@gmail.com [2012-07-04 11:43]: No, the great catch here is that VSX offers you tools to manage up to 250 of these virtual monsters in a centralized fashion. You can also give control of these firewalls to your customers. You can put lots of OpenBSD guests on a host, but there's no way you will be happy when you are seriously thinking about deploying a VSX. ok, you've been brainwashed by marketing. this is not a question of the firewall at all, but a question of the management interface around it. as said and I repeat it again, use anchors and build sth for specific users to be able to edit specific anchor rulesets. could be as easy as a file per anchor owned by the user in question and a little cronjob that reloads your ruleset including anchors hourly or so. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Virtualizing firewalling scenarios in one physical OpenBSD host
ok here's a more thought out idea a vpf is the same as a pf only that it has an ioctl that binds its device minor to a rule # in pf0. access to a vpf0 is the same, posix vfs permissions. (securelevel affects pf rule write-ability, but i don't think a per vpf equivalent is useful for this example). only that the bind ioctl can be done by root exclusively if you want more vpfs, you need more device minors. that way the user interfaces are already there (pfctl, systat states), and the pf device protocol is already there, but the rules are now partitioned which was the true purpose from the start On Wed, Jul 4, 2012 at 11:11 AM, Andres Perera andre...@zoho.com wrote: out of curiosity, how would you make pf(4) only handle rules pertaining to a certain anchor depending on the process that's interfacing with them? i ask because; e.g., pfctl -sr should only show rules for that client, and other pf(4) operations need to be equally restricted. i know that originally you said that the loading of the rules is not up to the client but a periodic batch job, however that does not match CheckPoint VSX would you make the pf driver check the uid of the caller itself and spread out this code throughout every routine that fetches and set rules, or where would you place the namespacing? On Wed, Jul 4, 2012 at 5:21 AM, Henning Brauer lists-open...@bsws.de wrote: * Franco Fichtner slash...@gmail.com [2012-07-04 11:43]: No, the great catch here is that VSX offers you tools to manage up to 250 of these virtual monsters in a centralized fashion. You can also give control of these firewalls to your customers. You can put lots of OpenBSD guests on a host, but there's no way you will be happy when you are seriously thinking about deploying a VSX. ok, you've been brainwashed by marketing. this is not a question of the firewall at all, but a question of the management interface around it. as said and I repeat it again, use anchors and build sth for specific users to be able to edit specific anchor rulesets. could be as easy as a file per anchor owned by the user in question and a little cronjob that reloads your ruleset including anchors hourly or so. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
