Re: [pfSense-discussion] xen aware pfsense.
point taken but it wouldn't be "adding [file | virtual | foo] server features" it would only be "pfsense --> VT" i'm no security expert, in any stretch of the imagination, I would have expected that the suggested addition of a dom0 would/could be fully protected, due to dom0 sitting behind pfsense, thus making the point of secuity a mut point. but then again, i'm no security expert. On Thu, Jan 29, 2009 at 10:00 AM, RB wrote: > On Wed, Jan 28, 2009 at 15:31, pfsense sense wrote: > > Ignoring the lack of Xen dom0 support in FreeBSD for a moment, of course. > > I definitely misunderstood your original post, my apologies. That > being said, there isn't and doesn't soon look to be much motion within > FreeBSD to provide dom0 support; even Linux hasn't had a recent kernel > supporting it since 2.6.18, and the release scheduled for 2.6.29 may > actually be pushed back to 2.6.30. Beyond that, it seems only > qemu+kqemu has made it into the BSD space, which doesn't leave many > good options for running pfSense as the root of a virtualized system. > The general response I see from the FBSD camp to root-virtualization > requests is "man 8 jail". NetBSD has recent dom0 support, but > switching to that isn't very likely. > > Adrian has a good point - pfSense is a network security platform, and > adding [file | virtual | foo] server features will only serve to > dilute the focus and create superfluous support issues. Greg had > another good point - multiple parallel pfSense instances like VDOM & > VSYS might be the way to go, but serving as a general hosting platform > far exceeds the purpose of pfSense. > > - > To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com > For additional commands, e-mail: discussion-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
Re: [pfSense-discussion] xen aware pfsense.
Ignoring the lack of Xen dom0 support in FreeBSD for a moment, of course. On Thu, Jan 29, 2009 at 9:13 AM, pfsense sense wrote: > "multiple concurrent PFSense instances" > > no, you have also missed my point... i'm not interested in vistualizing > "pfsense" > my idea was to "provide" VT options, a dom0, "along side" pfsense... as it > is available in Linux. > > >| OS --> service (file) > cloud --> pfsense --> VT --> | OS --> service (mail) >| OS --> service (database) > > > > > > > On Wed, Jan 28, 2009 at 7:38 PM, Greg Hennessy wrote: > >> As the others have said, it depends on what you mean by 'integrate' >> >> Ignoring the lack of Xen dom0 support in FreeBSD for a moment. >> Utilising VT technology to deliver physical as well as logical isolation >> of multiple concurrent PFSense instances in a manner analagous to >> >> Fortinet VDOM : http://kc.forticare.com/default.asp?id=2065&Lang=1&SID= >> >> or >> >> Juniper VSYS : >> http://www.juniper.net/solutions/literature/white_papers/200103.pdf >> >> Does have a certain attraction from a managed service perspective. >> >> Hosting applications within domUs running on PFSense. A complete waste of >> time. >> >> >> Greg >> >> >> >> >> >> -- >> *From:* pfsense sense [pfse...@kavadas.org] >> *Sent:* 28 January 2009 00:42 >> *To:* discussion@pfsense.com >> *Subject:* [pfSense-discussion] xen aware pfsense. >> >> has anyone considered the possibility of intergrating xen with pfsense ? >> >> i might be loosing my mind but wouldn't it be nice to have a pfsense >> running on harware and a vistualization environemnt that allow us to install >> our OS's of choice perfectly protected behind pfsense ? >> >> does anything else think it's a good idea ? >> > >
Re: [pfSense-discussion] xen aware pfsense.
"multiple concurrent PFSense instances" no, you have also missed my point... i'm not interested in vistualizing "pfsense" my idea was to "provide" VT options, a dom0, "along side" pfsense... as it is available in Linux. | OS --> service (file) cloud --> pfsense --> VT --> | OS --> service (mail) | OS --> service (database) On Wed, Jan 28, 2009 at 7:38 PM, Greg Hennessy wrote: > As the others have said, it depends on what you mean by 'integrate' > > Ignoring the lack of Xen dom0 support in FreeBSD for a moment. > Utilising VT technology to deliver physical as well as logical isolation of > multiple concurrent PFSense instances in a manner analagous to > > Fortinet VDOM : http://kc.forticare.com/default.asp?id=2065&Lang=1&SID= > > or > > Juniper VSYS : > http://www.juniper.net/solutions/literature/white_papers/200103.pdf > > Does have a certain attraction from a managed service perspective. > > Hosting applications within domUs running on PFSense. A complete waste of > time. > > > Greg > > > > > > -- > *From:* pfsense sense [pfse...@kavadas.org] > *Sent:* 28 January 2009 00:42 > *To:* discussion@pfsense.com > *Subject:* [pfSense-discussion] xen aware pfsense. > > has anyone considered the possibility of intergrating xen with pfsense ? > > i might be loosing my mind but wouldn't it be nice to have a pfsense > running on harware and a vistualization environemnt that allow us to install > our OS's of choice perfectly protected behind pfsense ? > > does anything else think it's a good idea ? >
Re: [pfSense-discussion] xen aware pfsense.
i'm not suggesting pfsense be run inside a VM, i am suggesting pfsense provide VM functionality i'm fully aware the VM's shortcomings, i manage a 14TB ESX cluster let me say that again... i am suggesting pfsense provide VM functionality "cloud --> pfsense --> os --> service" On Wed, Jan 28, 2009 at 2:03 PM, RB wrote: > On Tue, Jan 27, 2009 at 17:42, pfsense sense wrote: > > has anyone considered the possibility of intergrating xen with pfsense ? > > > > i might be loosing my mind but wouldn't it be nice to have a pfsense > running > > on harware and a vistualization environemnt that allow us to install our > > OS's of choice perfectly protected behind pfsense ? > > > > does anything else think it's a good idea ? > > Regardless of what virtual appliance vendors would like to tell you, > network security solutions aren't particularly well-suited for > virtualization. Response times will never be as good as those on the > raw hardware, and there are more subtle concerns with the added > complexity, particularly in failover situations. Even more > disconcerting is exposing the hypervisor within which the rest of your > presumably sensitive infrastructure runs to edge security concerns. > > That said, there's nothing stopping you from running on an HVM-aware > solution - I personally use Linux KVM on a Phenom 98xx, and Xen has at > least some HVM support. > > - > To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com > For additional commands, e-mail: discussion-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
[pfSense-discussion] xen aware pfsense.
has anyone considered the possibility of intergrating xen with pfsense ? i might be loosing my mind but wouldn't it be nice to have a pfsense running on harware and a vistualization environemnt that allow us to install our OS's of choice perfectly protected behind pfsense ? does anything else think it's a good idea ?