volt150 n00b
Joined: 15 May 2018 Posts: 11
|
Posted: Sat Jun 02, 2018 4:06 pm Post subject: Security/Procedure feedback request virtualized environment |
|
|
Hello,
I have a Gentoo machine I am using as a virtualization host with QEMU/KVM, and virtual network interfaces. I would like your feedback on my process/procedures and any security issues that you might see. This machine will be directly connected to the net and I do not have the knowledge to speak with certainty at this time.
Dell PowerEdge R710 - 4 physical network interfaces eno1 - eno4
Gentoo Profile: default/linux/amd64/17.0 (stable)
Kernel Version: 4.9.95
PfSense is providing NAT, Firewall, DNS, and DHCP.
Here is a network diagram of what exists right now:
https://imgur.com/MTMgXJh
netifrc configuration:
Code: |
#set the dns_domain_lo variable to the selected domain name
dns_domain_lo="homenetwork"
config_eno1="null"
config_eno2="null"
config_eno3="null"
config_eno4="dhcp"
# Future Reference Notes
## 1) Remember that each tap and bridge interface needs to have a symlink to
## net.lo in /etc/init.d/net.lo, and placed in /etc/init.d/
## 2) Each physical interfaces also needs to have a symlink
# Bridges
## Wan Bridge
### This bridge is primarily used to connect WAN to Pfsense
### Naturally only needs 1 physical and 1 TAP
#### This port is connected to a modem in bridge mode. Which means it still
#### has dhcp enabled. PfSense will send a dhcp request and be given an IP,
#### through this swtich
tuntap_wanbridgetap1="tap"
config_wanbridgetap1="null"
iproute2_wanbridgetap1="group kvm"
bridge_wanbridge="eno1 wanbridgetap1"
config_wanbridge="null"
rc_net_wanbridge_need="net.eno1 net.wanbridgetap1"
bridge_forward_delay_wanbridge=0
bridge_hello_time_wanbridge=1000
## DMZ Switch
### The virtual systems behind this bridge will be accessable from -
### the internet
### Currently this needs 4 taps
tuntap_dmzbridgetap1="tap"
tuntap_dmzbridgetap2="tap"
tuntap_dmzbridgetap3="tap"
tuntap_dmzbridgetap4="tap"
config_dmzbridgetap1="null"
config_dmzbridgetap2="null"
config_dmzbridgetap3="null"
config_dmzbridgetap4="null"
iproute2_dmzbridgetap1="group kvm"
iproute2_dmzbridgetap2="group kvm"
iproute2_dmzbridgetap3="group kvm"
iproute2_dmzbridgetap4="group kvm"
bridge_dmzbridge="dmzbridgetap1 dmzbridgetap2 dmzbridgetap3 dmzbridgetap4"
config_dmzbridge="null"
rc_net_dmzbridge_need="net.dmzbridgetap1 net.dmzbridgetap2 net.dmzbridgetap3 net.dmzbridgetap4"
bridge_forward_delay_dmzbridge=0
bridge_hello_time_dmzbridge=1000
## Local Switch
### Systems behind this switch are not accessible from the internet
### Currently requires 1 physical and 7 taps
tuntap_locbridgetap1="tap"
tuntap_locbridgetap2="tap"
tuntap_locbridgetap3="tap"
tuntap_locbridgetap4="tap"
tuntap_locbridgetap5="tap"
tuntap_locbridgetap6="tap"
tuntap_locbridgetap7="tap"
config_locbridgetap1="null"
config_locbridgetap2="null"
config_locbridgetap3="null"
config_locbridgetap4="null"
config_locbridgetap5="null"
config_locbridgetap6="null"
config_locbridgetap7="null"
iproute2_locbridgetap1="group kvm"
iproute2_locbridgetap2="group kvm"
iproute2_locbridgetap3="group kvm"
iproute2_locbridgetap4="group kvm"
iproute2_locbridgetap5="group kvm"
iproute2_locbridgetap6="group kvm"
iproute2_locbridgetap7="group kvm"
bridge_locbridge="eno2 locbridgetap1 locbridgetap2 locbridgetap3 locbridgetap4 locbridgetap5 locbridgetap6 locbridgetap7"
config_locbridge="null"
rc_net_locbridge_need="net.eno2 net.locbridgetap1 net.locbridgetap2 net.locbridgetap3 net.locbridgetap4 net.locbridgetap5 net.locbridgetap6 net.locbridgetap7"
bridge_forward_delay_locbridge=0
bridge_hello_time_locbridge=1000
## Windows Switch
### This switch is used for windows machines and any supporting systems
### Currently requires 1 physical and 1 tap
tuntap_winbridgetap1="tap"
config_winbridgetap1="null"
iproute2_winbridgetap1="group kvm"
bridge_winbridge="eno3 winbridgetap1"
config_winbridge="null"
rc_net_winbridge_need="net.eno3 net.winbridgetap1"
bridge_forward_delay_winbridge=0
bridge_hello_time_winbridge=1000
|
[EDIT]
QEMU/KVM is using the e1000 network driver for the guest OS.
[/EDIT]
No other configuration has been done.
My primary concern is keeping the host secure. I think what worries me the most is that the bridges and taps are not physical. I do not know what the they are doing underneath and how/if any implication to the host, where a configuration mistake might cost me in security.
Would you change anything? Add anything?
PfSense rules are not within the scope of this post.
I thank you for your time. |
|