Hello New Friends and Forum Mates!
Having trouble getting the IPFW firewall to run with my own access rules. I've read most of the recent threads I could find on search here, and google (or other googely search engines). I've also I have the script ready to go, but having trouble getting IPFW to run it. I can get IPFW to run via the shell. It runs the FreeNAS rules. I've learned from the readings here where to put the script and rules, in /mnt/volumename/blablabla Forgive my terminology (see below###Me.). I also understand FreeNAS is not an OS to be hacked (and have no desire to). I did read that IPFW is an option, but can't seem to find out how to work with it. I also understand FreeNAS is not meant to be placed on an open network, and have read comments that indicate you might not want a firewall on your FreeNAS. I think I should give you some background on me and my system now.
###Me.
I'm mostly a network guy. At my current job, designed and implemented a dual DMZ with many secure VLANs, remote VPN (a dozen or so years ago). More recently redesigned it, moving from a now very old Cisco ASA to a new ASA and added site to site VPN. Oh, also experienced the shock of AnyConnect and the dreaded DAP policies to control who connects to what (see below ###My system.). I am at a highly regulated NPO.
Somewhere along the way, I took the initiative to move us onto VMware, in order to keep us from being pushed into using an unregulated VM environment across open networks, and to harness all the power of our old servers. So, with some good training after the fact, I also built and manage a vSphere/esxi environment as a 2nd hat. I'm somewhat a hack at that, but have it running well and everything is redundant. Of course, along with that hat comes another hat:
Storage. I'm even more of a hack at storage. I started out using maxed out (9TB from 12TB per host, after formatting, RAID, and esxi'ing it), then moved on to a Synology configured as a SAN (iSCSI). Designed it for a maximum of 10TB, now up to about 20TB :\ Added a 2nd failover Synology, which ended in a pretty much horrific way. So, in order to use the local storage on the three hosts as backup, I now turn to freeNAS.
BSD (of any flavor). I'm kind of Linuxy, but very green to FreeBSD, openBSD and FreeNAS. I actually have the most experience with FreeNAS. I probably got about 30 or 40 hours in with the older 9.x several years ago. That was more of a proof of concept deal, and I failed to get it to work with iSCSI as a VM. Worked great for NFS and Samba shares. Now I have been assigned to get a FreeNAS on each esxi host running and available for NFS, so I have another bundle of hours on that over the summer. I am such a hack at it. I consider myself very inexperiance at storage, and more so at FreeNAS storage. I beg for mercy!
I am dyslexic (isdelxic?) and very bad at typing, spelling and grammar. 10% of us are, knowingly or not. I have dogs and raise (at a hack level) some bonsai trees. I also make noise with bass guitar. Not music, just noise.
###My System.
I mentioned above, dual DMZ. You are storage experts here and I'm sure you know what a DMZ is, but in case some are not familiar with a dual DMZ, I'll explain now. I have one DMZ (AKA a true DMZ), which has any servers that can be touched by the outside (public/Internet). In other words, web servers. The other DMZ (aka a quazi DMZ), can only be touched by internal computers, or in a controlled manner, the web servers in the first DMZ. So it has SQL, file shares, DC's, etc. Both DMZ's run Linux and MS servers, the latter might be a security concern for many, especially the Windows IIS servers on the true DMZ.
The esxi environment is three old Dell 2950's, all upgraded to the last revision with the best CPU's (4 core X 2 sockets) and 64 GB RAM. Works very well for our needs. The three FreeNAS's, one on each esxi host, each get 4 x 3Ghz cores and GB RAM. They seem to run very well. Depending on who to what, I have 2 to 4Gbps between the hosts, Internet, and other resources outside my network. Only two of the three esxi hosts have good storage. I have the disks to upgrade the third, but holding, because I am to get another host (also Dell 2950) soon, like 2 years ago. I would like to make that a bare metal FreeNAS if I don't have to use it as a 4th esxi host.
FreeNAS: Latest version on the two hosts with good storage (11.1-U6, upgraded from U5). The host with anemic storage has the beta version with upgraded GUI, and that's what I'm working with now as far as IPFW goes. That beta would be 11.2-BETA2 updated to yesterday. Right now I'm giving 1 to 2 TB to FreeNAS, but it's easy to add more. Each FreeNAS has three NICs (vmnics), one for each DMZ and one for the management VLAN.
###Goal.
Not speed. This is for backup of Linux text files, Linux log files (for now... need a new logfile server!), and storage of uploads to the web sites (~1TB currently, but soon to include video and I expect it will explode in TB's). This will be the only copy of uploads, so one FreeNAS will take the uploads, then it needs to rsync to the other at night. All NFS for now. The upload speeds are very limited by the public's ISP.
Security. Oh my. I have to be concerned with real security and perceived security. I really need to not have the web GUI available on the DMZ's. I need to have only what's needed available on each DMZ, by IP address, and the management access available to my management VLAN. In other words, I need NFS to specific servers on each NIC, rsync between the FreeNAS's and the web GUI to my management VLAN (plus the usual other stuff, NTP, domain, ssh, etc. BTW: confusingly, service requests like NTP, domain, etc. will be sent to management VLAN and routed to the quasi DMZ :D
###Future.
While I prefer at least the critical servers have a "clone" off the SAN, to an esxi datastore, I could need to add SMB/SAMBA to the FreeNAS for veeam zips to backup VM's. Hopefully, any other future requirements will fall after I retire to a tropical island with sand between my toes! The goal for that is three years.
###TIA!
Thanks for reading what you read. I really respect your time and expertise on storage!
Cherio,
jon
Having trouble getting the IPFW firewall to run with my own access rules. I've read most of the recent threads I could find on search here, and google (or other googely search engines). I've also I have the script ready to go, but having trouble getting IPFW to run it. I can get IPFW to run via the shell. It runs the FreeNAS rules. I've learned from the readings here where to put the script and rules, in /mnt/volumename/blablabla Forgive my terminology (see below###Me.). I also understand FreeNAS is not an OS to be hacked (and have no desire to). I did read that IPFW is an option, but can't seem to find out how to work with it. I also understand FreeNAS is not meant to be placed on an open network, and have read comments that indicate you might not want a firewall on your FreeNAS. I think I should give you some background on me and my system now.
###Me.
I'm mostly a network guy. At my current job, designed and implemented a dual DMZ with many secure VLANs, remote VPN (a dozen or so years ago). More recently redesigned it, moving from a now very old Cisco ASA to a new ASA and added site to site VPN. Oh, also experienced the shock of AnyConnect and the dreaded DAP policies to control who connects to what (see below ###My system.). I am at a highly regulated NPO.
Somewhere along the way, I took the initiative to move us onto VMware, in order to keep us from being pushed into using an unregulated VM environment across open networks, and to harness all the power of our old servers. So, with some good training after the fact, I also built and manage a vSphere/esxi environment as a 2nd hat. I'm somewhat a hack at that, but have it running well and everything is redundant. Of course, along with that hat comes another hat:
Storage. I'm even more of a hack at storage. I started out using maxed out (9TB from 12TB per host, after formatting, RAID, and esxi'ing it), then moved on to a Synology configured as a SAN (iSCSI). Designed it for a maximum of 10TB, now up to about 20TB :\ Added a 2nd failover Synology, which ended in a pretty much horrific way. So, in order to use the local storage on the three hosts as backup, I now turn to freeNAS.
BSD (of any flavor). I'm kind of Linuxy, but very green to FreeBSD, openBSD and FreeNAS. I actually have the most experience with FreeNAS. I probably got about 30 or 40 hours in with the older 9.x several years ago. That was more of a proof of concept deal, and I failed to get it to work with iSCSI as a VM. Worked great for NFS and Samba shares. Now I have been assigned to get a FreeNAS on each esxi host running and available for NFS, so I have another bundle of hours on that over the summer. I am such a hack at it. I consider myself very inexperiance at storage, and more so at FreeNAS storage. I beg for mercy!
I am dyslexic (isdelxic?) and very bad at typing, spelling and grammar. 10% of us are, knowingly or not. I have dogs and raise (at a hack level) some bonsai trees. I also make noise with bass guitar. Not music, just noise.
###My System.
I mentioned above, dual DMZ. You are storage experts here and I'm sure you know what a DMZ is, but in case some are not familiar with a dual DMZ, I'll explain now. I have one DMZ (AKA a true DMZ), which has any servers that can be touched by the outside (public/Internet). In other words, web servers. The other DMZ (aka a quazi DMZ), can only be touched by internal computers, or in a controlled manner, the web servers in the first DMZ. So it has SQL, file shares, DC's, etc. Both DMZ's run Linux and MS servers, the latter might be a security concern for many, especially the Windows IIS servers on the true DMZ.
The esxi environment is three old Dell 2950's, all upgraded to the last revision with the best CPU's (4 core X 2 sockets) and 64 GB RAM. Works very well for our needs. The three FreeNAS's, one on each esxi host, each get 4 x 3Ghz cores and GB RAM. They seem to run very well. Depending on who to what, I have 2 to 4Gbps between the hosts, Internet, and other resources outside my network. Only two of the three esxi hosts have good storage. I have the disks to upgrade the third, but holding, because I am to get another host (also Dell 2950) soon, like 2 years ago. I would like to make that a bare metal FreeNAS if I don't have to use it as a 4th esxi host.
FreeNAS: Latest version on the two hosts with good storage (11.1-U6, upgraded from U5). The host with anemic storage has the beta version with upgraded GUI, and that's what I'm working with now as far as IPFW goes. That beta would be 11.2-BETA2 updated to yesterday. Right now I'm giving 1 to 2 TB to FreeNAS, but it's easy to add more. Each FreeNAS has three NICs (vmnics), one for each DMZ and one for the management VLAN.
###Goal.
Not speed. This is for backup of Linux text files, Linux log files (for now... need a new logfile server!), and storage of uploads to the web sites (~1TB currently, but soon to include video and I expect it will explode in TB's). This will be the only copy of uploads, so one FreeNAS will take the uploads, then it needs to rsync to the other at night. All NFS for now. The upload speeds are very limited by the public's ISP.
Security. Oh my. I have to be concerned with real security and perceived security. I really need to not have the web GUI available on the DMZ's. I need to have only what's needed available on each DMZ, by IP address, and the management access available to my management VLAN. In other words, I need NFS to specific servers on each NIC, rsync between the FreeNAS's and the web GUI to my management VLAN (plus the usual other stuff, NTP, domain, ssh, etc. BTW: confusingly, service requests like NTP, domain, etc. will be sent to management VLAN and routed to the quasi DMZ :D
###Future.
While I prefer at least the critical servers have a "clone" off the SAN, to an esxi datastore, I could need to add SMB/SAMBA to the FreeNAS for veeam zips to backup VM's. Hopefully, any other future requirements will fall after I retire to a tropical island with sand between my toes! The goal for that is three years.
###TIA!
Thanks for reading what you read. I really respect your time and expertise on storage!
Cherio,
jon