Well, I hear of people running pfSense in a VM, and I wonder how do you avoid exposing the host OS to the network? How can a firewall be run in a VM and not leave the host OS hanging out to be attacked? Or, go the otherway and put the VM in the FreeBSD used by pfSense since there is plenty of excess CPU and memory to do the trick. Only getting vmware to run on pfSense FreeBSD might be difficult (I haven't actually tried it) given the very few pieces of FreeBSD that are present in a pfSense environment.
Yes, I agree that having a jabber server on the firewall is less secure than not having a jabber server, but I question it being less secure than having it on my internal server. If it is on the pfSense box and becomes compromised, the hacker will need pfSense skills to get any further, then they will need an additional set of skills to get at my primary servers. If I open the ports that the jabber server uses, then they have access to my primary servers via the jabber server software because the firewall is permitting connections into and out of the network on those ports. Admittedly running log digesting software increases the attack surface if those program actually use networking services, but if they are self-contained, the attack surface doesn't change. Adding a website (like say the pfSense PHP website interface) increases my exposure as well, but yet we do it to facilitate easy configuration..... If this analysis is wrong, please someone point out where it is wrong. This assumes that the jabber server only opens the ports for XMPP and nothing else, no management ports etc..... -----Original Message----- From: Pandu Poluan [mailto:[email protected]] Sent: Thursday, February 03, 2011 12:21 AM To: [email protected] Subject: Re: [pfSense Support] Can anyone build a 1.2.3 ISO? I agree with Jim. A firewall box should be exclusively a firewall, no matter how 'stout' it is. More components == more attack surface area. Not to mention the intricacies of interaction that might bollix the firewall's mechanisms in a non-repeatable way. Better to put all analysis packages in another box, which may be realized as a Linux box, which Mark is more comfortable with. Or, you can also save on boxes by installing the analysis mechanisms as a VM, either through KVM or XenServer. Admittedly, the latter requires you to reformat a box, but IMO more stable because it does not have to rely on the stability of the Dom0 Linux. Just my 2 cents. Rgds, On 2011-02-03, Jim Pingle <[email protected]> wrote: > On 2/2/2011 11:35 AM, Mark Jones wrote: >> The Beta label on 2.0 is holding us back. (Also, last night I tried >> building 2.0 on 8.1 and it failed, but I don't even see any errors, >> nor do I know where they are squirreled away.) We are running on 7.2 >> with 1.2.3 and it works. What we are trying to do is add java and >> openfire so that we can run our IM client/setup on the pfsense box. >> >> The fact that portsnap isn't available to do that is a severe problem >> for us (or maybe it just keeps us from shooting our own foot). Is >> there some webpage that points out HOW to build an addon for pfsense >> so that we could do a private addon for java and openfire? >> >> I'd also like to move our log analysis/display tool to the pfsense box. >> It reads snort logs and squid proxy logs and tries to present a >> coherent view of what has happened yesterday. Right now it's almost >> pre-alpha and requires we suck the logs off the box and do the work >> elsewhere. We have a very stout box we are devoting to pfsense so it can >> carry this load. >> Any pointers on how you do this would be much appreciated. >> >> I can't find any pages that talk about how to build/package an addon >> for pfsense. This doesn't give any hints as to how to pull it off >> http://doc.pfsense.org/index.php/Packages#Specific_Package_Informatio >> n >> >> PS: the code we use to display the logs is based on Django and runs >> in python (mod_wsgi, or mod_python), so that would be the next hurdle.... > > Sounds like a lot of stuff that doesn't belong on a firewall ;-) > > You don't need to build on a firewall, use the ports system on a full > 7.2 box and just run "make package-recursive" in the ports you want, > then copy the resulting .tbz files to the pfsense box and add them > with pkg_add. > > It's just like building packages for any FreeBSD system. > > You should really be pushing the logs off the firewall and onto a > dedicated box for that. You really want the firewall to be a firewall, > not a general purpose box. > > Though if you want to install all of that, you will be shooting > yourself in the foot in one way or another, so you'll be on your own there. > > You might at least look into the jailctl package so you can at least > segregate this stuff off into an area that is isolated from the main > firewall (and incidentally, you can get make and friends working > inside of a jail) - though I would still caution against doing any of > the things you're suggesting on a production firewall. It's an easy > way to turn a secure, stable firewall into an insecure, unstable > "one-box-fits-all" device. > > Jim > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] For additional > commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > > -- -- Pandu E Poluan - IT Optimizer My website: http://pandu.poluan.info/ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
