----- "Roland Giesler" <[EMAIL PROTECTED]> wrote: > On 23/07/07, Jeff Schmidt <[EMAIL PROTECTED]> wrote: > > Roland Giesler wrote: > > > Is it possible to start a VMware or Xen client inside pfSense? > > perhaps you've worded that backwards? > > assuming so; yes, you can run pfSense inside vmware. doubtful that > it > > would work in Xen. > > No, I didn't word it backwards. I'm like to build a firewall, that > also hosts a spamfilter / mailserver and maybe some other things. > But > the firewall must be primary or host OS, since part of the object of > having a filewall would be defeated if the firewall is not the > primary > point of entry from outside the network, right?
Not necessarily. It would probably be best to have one OS dedicated to running the VMs, and then have your guests for firewall, spam filter, etc. This way, you're not combining multiple functions in one OS, and upgrading any one of them is as easy as possible. On the host OS, let's assume Linux, you would just setup iptables to block everything from the outside to the host's IP. This won't effect the guests, and you're only setback will be the processing cost of virtualization (unless your switching packets over a high speed connection, you probably won't notice... which I assume is the case, otherwise you'd have dedicated hardware for all of your services). > > I guess what I'm really asking is, can another program be started and > run from inside pfSense? Much in the way that I could start > something > in FreeBSD? I suspect the ability to do this is limited by the > confuration of pfSense as it is with m0n0wall. > > Alternatively, if I run a debian box for example, and used that as a > Xen host, I could run a VM for pfSense, one for a mail server, > another > for a proxy/cache, etc. but that may be inefficient, since I could > just be running one machine to do that all. Problem is that then I > would have the very powerful and easy to use interface of pfSense to > run the firewall part and I want that without having to install two > boxes. Virtualization comes at a cost, and running three VMs, especially when one is a mail server, would require some decent hardware. You know your situation best, but the cost of one beefy box to run it all, or two lessor boxes, may be close. The big advantage in this case is that using VMs would separate the different software services, possibly all distributed as packages, making them easier to admin and update. No worries about conflicting libs or ports, and you also add ease of migration should your one beefy box get lagged down, and you want to move the mail server to another, dedicated VM host. > > comments? > > thanks > > -- > Roland Giesler > Green Tree Systems cc, Stellenbosch, South Africa > Mobile: 072-450-2817 http://www.thegreentree.za.net > > Shop online at http://www.digitalplanet.co.za/?AID=497
