Virtual firewall to protect hypervisor

manutenfruits asked:

I am running an Ubuntu Server 12.10 as a single host connected to a NATed router connected using PPPoE to a optical fiber modem. This server is meant to be accessed from the Internet, but also to be used from the LAN as a SVN, MySQL and what not…

The issue is that the router is not customizable enough to serve, so I was thinking about creating a virtual pfSense firewall using KVM inside of the server itself, removing the need of the router. Is this possible? Can the host ignore and block all traffic coming to itself, but not for the firewall?

I am aware this is not the most desirable environment, I accept suggestions based on budget!

My answer:

Yes, you can run a firewall as a virtual machine within this environment.

Before doing so, I’d ideally like to see a couple of NICs dedicated to the firewall VM (SR-IOV is nice, try it!) and additional security such as sVirt running at the hypervisor level to protect VMs from each other.

See also Hardware firewall vs VMware firewall appliance for further discussion.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.