The NDC Logical Firewall Under VMware

The NDC Logical Firewall can run under VMware including the Free VMware Player. This can be most easily accomplished by using one of the two pre-configured virtual machines offered below.

With VMware, the host PC can be running either Windows or Linux and one host PC can run any number of distinct Logical Firewalls subject only to CPU, RAM, and disk limitations of the host. In addition to the disk space required to install VMware Player, allow about 600MB for the first Logical Firewall and 100MB for each additional one. (This assumes both the CDROM and floppy drives are mapped to files on the host OS so no physical devices on the host are required or consumed). Also allow about 100MB of RAM per firewall.

The VMware Free Player license agreement, seems to say that this use is permitted as long as the host PC is "not a server" and as long as benchmark results aren't published without VMware's permission. The latter prevents quantifying the substantial performance hit you can expect running Gibraltar as a guest on a Windows PC compared to running it native, but I think I can say performance should still be sufficient for most users. (I think the performance hit is less with Linux as the host OS.)

Also, speaking of performance, if you notice exceptionally bad network throughput FROM a Linux host to/through one of its virtual machine clients, try disabling TCP Fragmentation Offloading with "ethtool -K eth0 tso off". I found that necessary for VMware Workstation 5.5.3 running under fedora core 6.

Here are a few possible applications for an LFW on VMware:

  1. As a firewall for your office machines which doesn't need extra space, power, wires or make extra noise.
  2. As a temporary firewall for use when building new machines (or in an emergency).
  3. As a way of using linux networking tools to monitor a Windows PC's traffic (from the same switch port).
  4. To save money on hardware if performance needs are modest.
  5. As a personal, non-authenticating outbound email relay.

I should also point out that the protection offered by a Logical Firewall running under VMware (on an uncompromised host) is exactly the same as that offered by the firewall running on real hardware -- even to the physical host running VMware or to other VMware clients. For example, a Windows host and other Windows guests can all be protected as clients of a Logical Firewall running under VMware on the same physical PC).

Using a Pre-Configured Virtual Machine

Assuming you have already installed the VMware software you will be using, follow the steps below to bring up a Logical Firewall under VMware.

(Once your Gibraltar system is up and configured, you should connect to it via ssh just as if it was real hardware. Pasting output of the rule generator into the VMware console is untested.)

Configuration 1: Using your PC's Real CDROM and Floppy Drives

This uses the least hard-drive space on your host PC and has setup instructions nearly identical to those documented for real hardware but it will tie-up your CDROM and floppy drive while the LFW runs.

  1. Download and extract (unzip) Virtual Machine Configuration 1 into a new folder on your PC.

  2. Follow steps #1-2 of Obtaining and Configuring Gibraltar but skip step #3 (the virtual BIOS is pre-configured).

  3. In step #4, insert the bootable Gibraltar CDROM disc into the CDROM drive and boot the virtual machine. On windows this is done by double-clicking the "Virtual-Machine.vmx" file. The remainder of the instructions for Obtaining and Configuring Gibraltar should apply unchanged.

Configuration 2: Using Files on the Host PC as CDROM and Floppy Drives

This uses about 500MB more hard-drive space on your host PC and has slightly different setup instructions but it will not need your real CDROM or floppy drives and will therefore permit multiple Logical Firewalls to run simultaneously on the same physical host PC.

Note: to simplify the process of getting a current copy of "uw-setup" into a virtual machine without a real floppy drive, the following steps require the host PC to be connected (at least temporarily) to the internet on a network with DHCP enabled . (Most subnets at UW meet this requirement.)

  1. Download and extract (unzip) Virtual Machine Configuration 2 into a new folder on your PC.

  2. Follow step #1 of Obtaining and Configuring Gibraltar but instead of burning the uncompressed ISO image to a CDROM, copy it to the folder which CONTAINS the new folder with your virtual machine. Name it "gibraltar.iso".

    (Just so this is completely clear, if you created the new folder on your desktop, copy gibraltar.iso to your desktop, NOT into the new folder. This allows multiple virtual machines to share the same large "gibraltar.iso" file.)

  3. Skip steps #2-3 and follow steps #4-6 of Obtaining and Configuring Gibraltar but in step #4 boot the virtual machine. On windows this is done by double-clicking the "Virtual-Machine.vmx" file.

  4. Type "mount /dev/fd1 /mnt && /mnt/get-uw-setup"

  5. Assuming "get-uw-setup" reported success, you can now resume Obtaining and Configuring Gibraltar at step #8 but in step #9, there is no need to insert a blank floppy as a virtual one is already inserted. The remainder of the instructions should apply unchanged.

Corey Satten
Email -- corey @ u.washington.edu
Web -- http://staff.washington.edu/corey/
Date -- Mon Jan 28 12:28:14 PST 2008