[BBLISA] Advice on a firewall Virtual Appliance

Edward Ned Harvey (bblisa4) bblisa4 at nedharvey.com
Fri May 31 17:11:01 EDT 2013


> From: bblisa-bounces at bblisa.org [mailto:bblisa-bounces at bblisa.org] On
> Behalf Of Aaron Macks
> 
> I'm going to be setting up a small stand-alone virtual environment soon.
>  My instinct is to make a VM based on iptables and ipmasq to act as a
> gateway/firewall for the rest of the VMs, but it occurs to me that there
> may now be better virtual firewalls out there.  Note that it doesn't
> have to be a virtual appliance that just gets uploaded and booted,
> something installable is fine, but I want something more specialized
> then plain Linux.  Does anyone have any suggestions?

Be aware, that for a security device, you're not supposed to run it as a VM, just because you might be vulnerable to hypervisor attacks and so forth.  But as long as you take that into consideration - I do it myself.

I recommend and use pfSense.  (There are others out there, such as monowall, which I think pfsense is based on, but I prefer pfsense over monowall.)  


> Required features: VPN (IPSEC ideally, SSL-based acceptable, PPTP not
> acceptable), port forwarding, NAT, other normal firewall stuff

For site-to-site, the IPSec is present, and ideal.  For mobile connectivity, IPsec can be used ... but it's not ideal due to complexity of configuring clients, and difficulty finding good clients.  For mobile connectivity, I would say look at openvpn instead (or in addition to) the ipsec mobilevpn solution.  It's SSL based.  In the pfsense, you can install the openvpn plugin (I forget what it's called exactly, but if you just look under the installable modules page, you should find it easily.)  Then with a few clicks on the web interface, you create your CA, you create some users, create certs for those users, and download the per-user config files and cert files needed by the openvpn client or tunnelblick.
 



More information about the bblisa mailing list