Linux KVM and the virtual firewall

October 30, 2011 | Categories: Rants, Technical | Tags: clearos, ipcop, kvm, pfsense No Comments ↓

KVM offers a slew of opportunities for home or business and a feature set that is ever growing.Â Some setups can be more complex than others, and incorporating a virtual firewall in to your existing KVM guests pushes the boundaries.

Internet --- KVM host
             virtual firewall -- virtual hosts (internal) -- physical virtual host

The design is a little atypical as it consolidates a physical firewall in to the same pool of systems as internal hosts that wish to remain secure, but with care this can be done entirely securely.Â For this to work, the KVM host must have two NICs.

From personal experience, ipCop, pfSense, and ClearOS were the firewalls to consider.Â Requirements are (1) stable and (2) easy to administer by even the most novice user, which translates to (2a) a web interface.

ipCop has been around for a long while and works well.Â However, it requires nightly reboots (yuck) and is not as easy to administer.Â Thus, it was chosen to skip over ipCop as a KVM guest firewall.

pfSense is an excellent firewall and tends to play somewhat well as a KVM firewall.Â FreeBSD 7 (what pfSense is based off of) does not have native support as a KVM guest, though, and won’t take advantage of virtio without some tinkering.Â Regardless, it is simple plug and play and a heck of a workhorse.Â However, enter in some extreme loads of traffic (torrent, anyone?), and pfSense frequently locks up.Â This was the same experience when running as a hardware firewall, yet all postings out there make this situation sound like an anomaly that should never exist.

ClearOS appears promising with its slick interface and linux kernel support as a native guest.Â With it being based off of RHEL 5.2, its kernel is somewhat older (2.6.18 as of this writing) and its KVM support is limited, but it is there.Â It worked right out of the box and was simple to configure.Â The deal breaker on this one is that it cannot port forward to other KVM guests on the same KVM host.Â This is a bit of a mystery and rather odd!

KVM is the way to go.Â For now, stay within the mold, though.

VIA Rhine II and Windows 7 64bit

August 26, 2011 | Categories: Technical, Windows | Tags: 64bit, network driver, rhine, via, via rhine, via rhine II, windows, windows 7, windows 7 64bit No Comments ↓

иконографияThe driver that ships with Windows 7 appears to have a TCP overload problem.Â Be sure to use the updated driver (attached here for archival purposes), version 1.12a.

via_rhine_windows7_v1.12a

Converting an ext3 file system to ext4

August 14, 2011 | Categories: Linux, Technical No Comments ↓

Ð¸ÐºÐ¾Ð½Ð¾Ð³Ñ€Ð°Ñ„Ð¸ÑÐ¸ÐºÐ¾Ð½Ð¸(adapted from https://ext4.wiki.kernel.org/index.php/Ext4_Howto#Converting_an_ext3_filesystem_to_ext4)

Assuming you have enabled ext3 on your filesystem via:

# tune2fs -j /dev/DEV

It is very easy to then enable the ext4 features on an existing ext3 filesystem, using the command:

# tune2fs -O extents,uninit_bg,dir_index /dev/DEV

WARNING: Once you run this command, the filesystem will no longer be mountable using the ext3 filesystem!

After running this command (specifically, after setting the uninit_bg parameter), you MUST run fsck to fix up some on-disk structures that tune2fs has modified:

# e2fsck -fDC0 /dev/DEV

Be sure to update your /etc/fstab accordingly! And, if you do perform this update on an ext3 root file system, BE AWARE that you may have to jump through some hoops to get this work work. Many modern distributions boot off of a ram disk, and it is likely that ext4 is not in that ram disk. You will have to rebuild your ramdisk in order to boot your system.