Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Firewall on physical host node
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Firewall on physical host node

SaahibSaahib Host Rep, Veteran
edited February 2013 in Help

I am doing some reading around but I guess its best to take help and get precise information, so I am in process of setting up OpenVZ based visualization on a dedicated server and now I need to know what kind of firewall will work on it?
I see 3 options:
1. Hardware firewall
2. Firewall on host only
3. Firewall on each container.

First option is not viable as I am not looking to spend a lot on it , its only for my own usage.

In second option, is it possible that configure firewall on host node and then it serves like hardware firewall sitting in front of each container ?

Third option, install their own firewall in each node and make sure host node has required iptables modules

So which one is preferred and ofcourse when I set dedicated box or VPS, I simply resort to CSF and works great, what should be used in Host node for firewall ?

Comments

  • @Saahib said: I see 3 options:

    1. Hardware firewall
    2. Firewall on host only
    3. Firewall on each container.

    2 and 3 are mostly useless. It'll have to be done at the network / router/switch level.

    What exactly are you trying to do here? Prevent what?

  • Invest in Cisco firewall, then deploy an ClearOS machine attached to the cisco. Don't buy lame ass TP-link products if you are going to host/serve on 3rd party customers.

  • SaahibSaahib Host Rep, Veteran

    Hardware firewall is not an option here atm as I am not selling any VPS etc. but still I need to make sure my host node is somewhat safer.

  • csf on the host, ddos deflate, and ip scanner/monitor to autoblock.

    better than nothing.

  • jarjar Patron Provider, Top Host, Veteran

    iptables on host node is fine. It's far more capable than people give it credit for. Of course it's not going to sustain a big DDOS attack, but at budget level not much will.

  • Doh! I neglected to mention iptables :) But it's a requirement and underbelly to most everything anyways.

  • Invest in Cisco ASA for <£1K.

  • jhjh Member

    @Jacob said: Invest in Cisco ASA for <£1K.

    Those ones what have 100mbit ports?

  • @jhadley you can get ASA5510 for £500-£800 and it has 500Mbps throughput, and pretty sure expansions are available.

    Or grab a Edgemax, the PPS on them is amazing it's basicly vyatta.

  • geekalotgeekalot Member
    edited February 2013

    iptables (Shorewall or FireHOL, maybe CSF or others) on Host node is fine.

    I have been playing with Shorewall on Proxmox host and it works very well protecting everything. Add to that IDS like Fail2ban (blocking or nullrouting IPs, not just ports).

    Kind of redundant, but you can also run iptables on the VMs too ... but it would really have to be a good reason to double-firewall it in this way.

  • SaahibSaahib Host Rep, Veteran

    Well, I am inclined towards CSF but on the other hand, all I need to do is close all ports and open ssh port (which I have defined) and it s should work fine ?

    Btw, if OpenVZ is running in venet mode, then if there are 100 connection on Container1 and 100connection container2, then firewall will count them as 200 connection on eth0 of HW node ?

  • jarjar Patron Provider, Top Host, Veteran

    @Saahib said: Well, I am inclined towards CSF but on the other hand, all I need to do is close all ports and open ssh port (which I have defined) and it s should work fine ?

    Keep in mind your containers need to get traffic in and out.

  • SaahibSaahib Host Rep, Veteran

    Well messing around..
    I have isolated Host node from containers.. so now host node has nothing to do with containers, they are supposed to handle their firewall themselves..

    One thing interesting, this host node has nothing on it but google is trying to access its main ip on port 80 already.

Sign In or Register to comment.