On 11/13/2017 05:51 PM, Colony.three via Shorewall-users wrote: > > >> -------- Original Message -------- >> Subject: Re: [Shorewall-users] Setting Up a DMZ Fail >> Local Time: November 13, 2017 4:37 PM >> UTC Time: November 14, 2017 12:37 AM >> From: teas...@shorewall.net >> To: shorewall-users@lists.sourceforge.net >> >> On 11/13/2017 03:25 PM, Colony.three via Shorewall-users wrote: >> >> I've given up on trying to set up a Private Virtual Network in >> virt-manager (KVM), as it does not work. (CentOS7.4 all 'round) >> So I've now assigned a hardware ethernet port to the DMZ VM >> and one to >> the router VM, just like all the other VMs. The DMZ and >> router have >> their own IP class C's (different from the LAN). I'm uneasy with >> this, as if an interface could be put in promiscuous... >> But what else am I going to do? Using a bridge isn't very >> secure as >> it depends on a software driver, and if a flaw is found/exists in >> that? It is hard to get bolt-sure isolation from some VMs, with >> communication in others. >> With hardware interfaces and SNAT MASQUERADE defined for the >> LAN IP >> and DMZ IP, the LAN can get out to the WAN -- but not the DMZ >> machine. Nothing in the logs, as usual. >> >> Presuming that my LAN has to be NATted to the DMZ in the router to SSH >> into it, I added in snat: >> >> Your LAN does NOT have to be NATted to your DMZ. >> >> SNAT(10.1.111.3) 192.168.1.2 10.1.111.2 ssh >> Not understanding what to put in () (and it doesn't work without >> something) I put in an IP that's in the same class C as the DMZ, which >> otherwise isn't being used. 192.168.1.2 is the source IP in the >> LAN and >> 10.1.111.2 is the DMZ interface in the router which is supposed to >> point >> to the DMZ machine at 10.1.111.30. >> But now Shorewall won't start because it does not recognize the >> service >> ssh! WTH? I knew it's good but just to be sure I checked >> /etc/services, and yep, port 22. >> >> You are missing the protocol column. Also, the syntax of the >> destination >> column requires an interface name. >> Even if this worked, another problem with this is that if I snat >> all SSH >> traffic to the DMZ, I can no longer SSH out to The Internets. >> Everything gets turned around to the DMZ. >> I can't believe there isn't a writeup on this anywhere. >> >> >> >> What is different about your configuration and the one shown in the >> Three Interface Howto (http://www.shorewall.org/ >> three-interface.htm)? >> >> -Tom >> > The problem was with my DMZ VM. I found I couldn't get out of it to do > anything, and nobody could get in. Only had access through the KVM > console. I'm so exhausted that I don't remember what was wrong, but all > is working now and I've taken backups of this clean snapshot on which I > can base experiments. > > Still left with the question of the most secure way to join the DMZ to > the network. Right now I'm using hardware SR-IOV interfaces, but they > could be put in promiscuous mode. KVM's Private Virtual Netwoking > didn't work, and the software bridge driver in the host could have > exploitable flaws. > > Wondering what best practice is for KVM DMZ isolation? (And I'm > probably not the only one here)
I personally use the software bridge. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
