Hi everyone!
All-in-one; I need to set up a router, PF and all else it takes to secure a FreeBSD GNOME desktop. I am running FreeBSD 10.0 GNOME desktop. I have Virtualbox installed running Windows XP. I have never done much beyond keeping an eye on both without any true technical know-how.
As of now, I have everything running perfectly like it was since 8.2. It’s high-time that I address any and all possible security issues for this foundation which is the desktop, and the latter a web server running a few jails.
All-in-one; I need to set up a router, PF and all else it takes to secure a FreeBSD GNOME desktop. I am running FreeBSD 10.0 GNOME desktop. I have Virtualbox installed running Windows XP. I have never done much beyond keeping an eye on both without any true technical know-how.
As of now, I have everything running perfectly like it was since 8.2. It’s high-time that I address any and all possible security issues for this foundation which is the desktop, and the latter a web server running a few jails.
- Is it possible to run a FreeBSD desktop as a router to jails and Virtualbox very securely?
To elaborate; I never use the FreeBSD desktop applications to surf the web. I don't need or want any web connections made possible to any program running under FreeBSD GNOME desktop or FreeBSD by itself. In other words, I want all packets to bypass the FreeBSD desktop (other than what has to be done by the router and PF) and go only to Virtualbox and/or jails and back again.
I read that an internet connection on a FreeBSD desktop is more vulnerable than on a raw FreeBSD server. This makes sense because any desktop can be full of holes. It’s easier to replace a VDI file or jail than the entire hosting desktop system in front of it.
I don’t know much about sockets but if that is what it takes to bypass the desktop gateway, straight to the router, straight to the PF, than to Virtualbox and jails, that is what I want to do, or something like it. Hope you can word this better in your mind to understand what I am trying to say.
The only connection I want for the FreeBSD desktop is the SSH connection for FreeBSD updates and such, and absolutely nothing else should be capable to stop by to probe the desktop.
- How would I do this?
- Could someone provide the complete router scripts and application needed?
- What PF rules are to be used?
- In the end would it be fairly safe to run at full production from a fairly trusted co-location?