Linux KVM and the virtual firewall

KVM offers a slew of opportunities for home or business and a feature set that is ever growing.  Some setups can be more complex than others, and incorporating a virtual firewall in to your existing KVM guests pushes the boundaries.

Internet --- KVM host
             virtual firewall -- virtual hosts (internal) -- physical virtual host

The design is a little atypical as it consolidates a physical firewall in to the same pool of systems as internal hosts that wish to remain secure, but with care this can be done entirely securely.  For this to work, the KVM host must have two NICs.

From personal experience, ipCop, pfSense, and ClearOS were the firewalls to consider.  Requirements are (1) stable and (2) easy to administer by even the most novice user, which translates to (2a) a web interface.

ipCop has been around for a long while and works well.  However, it requires nightly reboots (yuck) and is not as easy to administer.  Thus, it was chosen to skip over ipCop as a KVM guest firewall.

pfSense is an excellent firewall and tends to play somewhat well as a KVM firewall.  FreeBSD 7 (what pfSense is based off of) does not have native support as a KVM guest, though, and won’t take advantage of virtio without some tinkering.  Regardless, it is simple plug and play and a heck of a workhorse.  However, enter in some extreme loads of traffic (torrent, anyone?), and pfSense frequently locks up.  This was the same experience when running as a hardware firewall, yet all postings out there make this situation sound like an anomaly that should never exist.

ClearOS appears promising with its slick interface and linux kernel support as a native guest.  With it being based off of RHEL 5.2, its kernel is somewhat older (2.6.18 as of this writing) and its KVM support is limited, but it is there.  It worked right out of the box and was simple to configure.  The deal breaker on this one is that it cannot port forward to other KVM guests on the same KVM host.  This is a bit of a mystery and rather odd!

KVM is the way to go.  For now, stay within the mold, though.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.