> -------- Original Message --------
> Subject: Re: [Shorewall-users] Setting Up a DMZ Fail
> Local Time: November 13, 2017 4:37 PM
> UTC Time: November 14, 2017 12:37 AM
> From: teas...@shorewall.net
> To: shorewall-users@lists.sourceforge.net
>
> On 11/13/2017 03:25 PM, Colony.three via Shorewall-users wrote:
>
>>> I've given up on trying to set up a Private Virtual Network in
>>> virt-manager (KVM), as it does not work. (CentOS7.4 all 'round)
>>> So I've now assigned a hardware ethernet port to the DMZ VM and one to
>>> the router VM, just like all the other VMs. The DMZ and router have
>>> their own IP class C's (different from the LAN). I'm uneasy with
>>> this, as if an interface could be put in promiscuous...
>>> But what else am I going to do? Using a bridge isn't very secure as
>>> it depends on a software driver, and if a flaw is found/exists in
>>> that? It is hard to get bolt-sure isolation from some VMs, with
>>> communication in others.
>>> With hardware interfaces and SNAT MASQUERADE defined for the LAN IP
>>> and DMZ IP, the LAN can get out to the WAN -- but not the DMZ
>>> machine. Nothing in the logs, as usual.
>>
>> Presuming that my LAN has to be NATted to the DMZ in the router to SSH
>> into it, I added in snat:
>>
>> Your LAN does NOT have to be NATted to your DMZ.
>>
>> SNAT(10.1.111.3) 192.168.1.2 10.1.111.2 ssh
>> Not understanding what to put in () (and it doesn't work without
>> something) I put in an IP that's in the same class C as the DMZ, which
>> otherwise isn't being used. 192.168.1.2 is the source IP in the LAN and
>> 10.1.111.2 is the DMZ interface in the router which is supposed to point
>> to the DMZ machine at 10.1.111.30.
>> But now Shorewall won't start because it does not recognize the service
>> ssh! WTH? I knew it's good but just to be sure I checked
>> /etc/services, and yep, port 22.
>>
>> You are missing the protocol column. Also, the syntax of the destination
>> column requires an interface name.
>> Even if this worked, another problem with this is that if I snat all SSH
>> traffic to the DMZ, I can no longer SSH out to The Internets.
>> Everything gets turned around to the DMZ.
>> I can't believe there isn't a writeup on this anywhere.
>
> What is different about your configuration and the one shown in the
> Three Interface Howto (http://www.shorewall.org/
> three-interface.htm)?
>
> -Tom
The problem was with my DMZ VM. I found I couldn't get out of it to do
anything, and nobody could get in. Only had access through the KVM console.
I'm so exhausted that I don't remember what was wrong, but all is working now
and I've taken backups of this clean snapshot on which I can base experiments.
Still left with the question of the most secure way to join the DMZ to the
network. Right now I'm using hardware SR-IOV interfaces, but they could be put
in promiscuous mode. KVM's Private Virtual Netwoking didn't work, and the
software bridge driver in the host could have exploitable flaws.
Wondering what best practice is for KVM DMZ isolation? (And I'm probably not
the only one here)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
