Matthew Sullenberger <sully () sadburger ! com> wrote at 2010-12-21 18:22:48: > > I've been playing with OpenBSD for a little while now, and really love it > when I need to throw together a quick firewall, web server, dhcp server, > etc. I've got on firewall that I've been using for a little while now, > OpenBSD 4.6, running on a VMWare ESXi box. It normally performs fine, and it > is doing some NAT and firewall functions with PF. I've pushed quite a few > packets through it and am impressed with the performance I am able to get > out of it. > > However, it seems like roughly every 2-3 weeks, I'll experience an issue > with it where it will stop responding. I can still ping the machine, but it > won't forward any packets, accept SSH connections, or respond to basically > anything. If I check on my VMWare host machine it is showing 100% cpu > utilization, and I am unable to access the console directly through VMWare. > > Performing a reset through VMWare fixes it and it runs fine again, for a few > weeks, until the same problem occurs. After resetting the box I check out > all the log files but I have never been able to see anything that even > remotely seems relevant to what could have been happening. I know of no way > to see what processes are running and eating up the cpu when this occurs, > since I can't get it to respond to anything. I am hoping someone may be able > to help point me in the right steps of where to begin troubleshooting this-- > I am a fairly experienced Windows admin, but still pretty new to the BSD > world, but am trying my best to adopt it wherever possible! > > Thanks in advance! > >
I don't think you will find many here who will not recommend against **ever** running **any** firewall as a hosted application in the strongest terms. It is probably the very worst application of all to run in a virtual machine. This is because the one machine that you leaving wholly exposed to attack is the ESXi host that the firewall is on: everything has to come through it to get to the "firewall" machine in the first place. Which doesn't answer the initial question, but I will not be surprised if most of the devs think that this issue is more pressing than the initial question. -- Ed Ahlsen-Girard
