SmartOS Firewall

SmartOS Global Zone

This is the /usbkey/config file and is the main networking config it is well commented so should not need explanation here

# This file was auto-generated then edited by the King and must be source-able
##### SmartOS netorking is this correct logic? will this work ??? #####
# admin_nic internal ip for admining SmartOS will need to port forward ssh through firewall in order to access SmartOS
# external_nic outside/inet interface it should be noted that the admin_nic and external_nic have the same mac and are the same physical nic in this setup  
# vswitch0 is an etherstub which is a virtual switch used to plugin vnics ie firewall and vms all plug into the same switch
## NOTE all vms including firewall using vswitch0 will have a vnic created mac generated and IP assigned from the json using dhcp
##### Creating firewall #####
# /opt/json/kvm-firewall-1.json uses external_nic for inet and vswitch0 to share with vms as all vms will be using nic_tag of vswitch0
# The firewall will inat/route/firewall/utm/cache/account between external_nic using vswitch0
##### Creating vms #####
# Using vswitch0 as a nic_tag smartos creates a vnic generats mac and assigns the IP mentioned in the json file using dhcp it also plugs the vnic into the vswitch0 the same switch as the firewall
##### Thanks these docs are some of what helped me understand
# http://www.scalingbits.com/solaris/11/pvn/rootzoneconfig
# http://wiki.smartos.org/display/DOC/NAT+using+Etherstubs
# ??? admin_nic is the nic admin_ip will be connected to for headnode zones.
admin_nic=aa:bb:cc:dd:ee:ff
admin_ip=10.1.0.1
admin_netmask=255.255.255.0
admin_network=...
admin_gateway=10.1.0.254
# ??? headnode_default_gateway=204.244.122.129
# external_nic is inet
external_nic=aa:bb:cc:dd:ee:ff
external0_ip=x.y.z.out
external0_netmask=255.255.255.224
external0_gateway=x.y.z.gate
# These are the vitual switches taged in firewall json and all vms
 etherstub="vswitch0,vswitch1"
dns_resolvers=8.8.8.8,8.8.4.4
dns_domain=computerking.ca
ntp_hosts=pool.ntp.org
compute_node_ntp_hosts=x.y.z.out
# dell_nic is the nic attached to the older Dell r410 NOT WORKING WHY?
dell_nic=0:25:90:e9:c:5
dell0_ip=10.0.0.5
dell0_netmask=255.0.0.0
dell0_gateway=10.254.254.254

Firewall vm

This file can be found on my system at /opt/json/kvm-firewall-1.json and contains the necessary configuration to build a virtual sofware based firewall and can be created using the command below. Also below are the commands to start the newly created firewall kvm using an iso image file

# vmadm create -f /opt/json/kvm-firewall-s
# cp /opt/iso/asg-9.201-25.1.iso
# vmadm boot b8ab5fc1-8576-45ef-bb51-9826b52a4651 order=cd,once=d cdrom=/asg-9.201-25.1.iso,ide

Here is the contents of the kvm-firewall-1.json

{
 "hostname": "firewall-1.computerking.ca",
 "alias": "firewall-1",
 "autoboot": true,
 "brand": "kvm",
 "vnc_port": "40000",
 "ram": "2048",
 "vcpus": "1",
 "resolvers": [
 "8.8.8.8",
 "8.8.4.4"
],
 "disks": [
{
 "boot": true,
 "model": "virtio",
 "size": 40960
}
],
"nics": [
{
 "nic_tag": "external",
 "model": "virtio",
 "ip": "x.y.z.out",
 "netmask": "255.255.255.224",
 "gateway": "x.y.z.gate",
 "allow_ip_spoofing": "1",
 "primary": true
},
{
 "nic_tag": "vswitch0",
 "model": "virtio",
 "ip": "10.1.0.254",
 "netmask": "255.255.255.0",
 "gateway": "10.1.0.254",
 "allow_ip_spoofing": "1"
}
]
}

OLD not working stuff

/usbkey/config

# This file was auto-generated and must be source-able by bash but then edited by the King.

# admin_nic is the nic admin_ip will be connected to for headnode zones.
admin_nic=aa:bb:cc:dd:ee:ff
admin_ip=x.y.z.out
admin_netmask=255.255.255.224
admin_network=…
admin_gateway=x.y.z.gate

headnode_default_gateway=x.y.z.gate

# This is required for Coal i tried fake but it did not work
external_nic=aa:bb:cc:dd:ee:ff
external0_ip=10.1.0.200
external0_netmask=255.255.255.0
external0_gateway=10.1.0.254

etherstub=”stub0,stub1″

dns_resolvers=8.8.8.8,8.8.4.4
dns_domain=computerking.ca

ntp_hosts=pool.ntp.org
compute_node_ntp_hosts=x.y.z.out

# This is going to be the external router nic
#fake_nic=0:25:90:e9:c:4
#fake0_ip=10.1.0.200
#fake0_netmask=255.255.255.0
#fake0_gateway=10.1.0.1

#coal=true

# dell_nic is the nic attached to the older Dell r410
dell_nic=0:25:90:e9:c:5
dell0_ip=10.0.0.5
dell0_netmask=255.0.0.0
dell0_gateway=10.254.254.254

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.