For this example I will only show how to enable full inbound and outbound access through the bridge with PF, but I won't be inculding any other firewall rules.
I will assume that VMWare ESX 3.5 is already installed and the VMWare Infrastructure Client is also connected to the host.
There are some requirement to meet before we get started.
We will be using three Virtual Switches and two physical NICs.
Virtual Switch: vSwitch0 is bound to vmnic0 and only bound to the Service Console Port.
Virtual Switch: vSwitch1 is bound to vmnic1 and has a Virtual Machine Port Group named External Network assigned to it.
Virtual Switch: vSwitch2 has no NIC bound to it and has a Virtual Machine Port Group named Internal Network assigned to it.
The next step is very important.
On each of your Internal Network and External Network vSwitches click on Properties.
Click vSwitch and click Edit. Click the Security tab.
Set the Promiscuous Mode: field to Accept.
If this step hasn't been done then data will not pass between virtual switches.
Once the above has been done we can proceed with the installation of OpenBSD.
Create a new Virtual Machine with a 1GB disk.
Mount the OpenBSD 4.2 .iso any way you please and boot to it.
Reference the OpenBSD FAQ for more detailed install instruction.
Install to disk sd0.
Use all of disk for install.
Under the Disk Label:
Type: d a to delete any existing partition.
Type: a a to create a partition of 65M with the 4.2BSD FS Type and the mount point of /
Type: a b to create a partition of 1M with swap as the FS Type
Type: a d to create a partition of 256M with the 4.2BSD FS Type and the mount point of /var
Type: a e to create a partition of remaining size with the 4.2BSD FS Type and the mount point of /usr
Ok, Done with partitioning.
Set your hostname and domain name.
Create your password.
I added the bsd.mp package and removed the game42.tgz package from my installation.
To remove the game42.tgz package use the command: -game42.tgz during installation.
Since this is going to be an IPless firewall we will not start SSHD.
Set any other option you want and finish installing and reboot.
Login as root.
vi /etc/rc.conf
change sendmail_flags=NO
change inetd=NO
change pf=YES
Save /etc/rc.conf and exit
vi /etc/sysctl.conf
Enable kern.emul.freebsd=1
Save /etc/sysctl.conf and exit
Mount your VMWare FreeBSD Tools .iso
Make sure each of these commands are each on a single line.
mount /dev/cd0c /mnt
tar -xzf /mnt/vmware-freebsd-tools.tar.gz -C /tmp
mkdir -p /emul/freebsd/sbin
install -m 555 -o root -g wheel /tmp/vmware-tools-distrib/lib/sbin32/vmware-guestd /emul/freebsd/sbin
cp -r /tmp/vmware-tools-distrib/etc /etc/vmware-tools
vi /etc/rc.local
Add the following script.
if [ -x /emul/freebsd/sbin/vmware-guestd ]; then
echo -n ' vmware-tools'
/emul/freebsd/sbin/vmware-guestd --background /var/run/vmware-guestd.pid --halt-command "/sbin/shutdown -p -h now" --reboot-command "/sbin/shutdown -r now"
fi
vi /var/cron/tabs/root
Add
ROOTBACKUP=0 underneath HOME/var/logComment out the sendmail line
Type the following command to create the bridge.
echo up > /etc/hostname.pcn0
echo up > /etc/hostname.pcn1
echo add pcn0 > /etc/bridgename.bridge0
echo add pcn1 >> /etc/bridgename.bridge0
echo blocknonip pcn0 >> /etc/bridgename.bridge0
echo blocknonip pcn1 >> /etc/bridgename.bridge0
echo up >> /etc/bridgename.bridge0
echo pass in all > /etc/pf.conf
echo pass out all >> /etc/pf.conf
Reboot!
You should now have a fully functioning bridge with VMWare tools installed. All that is left is to choose how you want to configure your firewall rules.
Note: I had some confusion as to whether or not to enable "net.inet.ip.forwarding" or not. I have finally discoved that it does not need to be enabled.
No comments:
Post a Comment