# Security/Procedure feedback request virtualized environment

## volt150

Hello,

I have a Gentoo machine I am using as a virtualization host with QEMU/KVM, and virtual network interfaces. I would like your feedback on my process/procedures and any security issues that you might see. This machine will be directly connected to the net and I do not have the knowledge to speak with certainty at this time. 

Dell PowerEdge R710 - 4 physical network interfaces eno1 - eno4

Gentoo Profile: default/linux/amd64/17.0 (stable)

Kernel Version: 4.9.95

PfSense is providing NAT, Firewall, DNS, and DHCP. 

Here is a network diagram of what exists right now:

https://imgur.com/MTMgXJh

netifrc configuration:

```

 

#set the dns_domain_lo variable to the selected domain name

dns_domain_lo="homenetwork"

config_eno1="null"

config_eno2="null"

config_eno3="null"

config_eno4="dhcp"

# Future Reference Notes

## 1) Remember that each tap and bridge interface needs to have a symlink to

## net.lo in /etc/init.d/net.lo, and placed in /etc/init.d/

## 2) Each physical interfaces also needs to have a symlink

# Bridges

## Wan Bridge

### This bridge is primarily used to connect WAN to Pfsense

### Naturally only needs 1 physical and 1 TAP

#### This port is connected to a modem in bridge mode. Which means it still

#### has dhcp enabled. PfSense will send a dhcp request and be given an IP,

#### through this swtich

tuntap_wanbridgetap1="tap"

config_wanbridgetap1="null"

iproute2_wanbridgetap1="group kvm"

bridge_wanbridge="eno1 wanbridgetap1"

config_wanbridge="null"

rc_net_wanbridge_need="net.eno1 net.wanbridgetap1"

bridge_forward_delay_wanbridge=0

bridge_hello_time_wanbridge=1000

## DMZ Switch

### The virtual systems behind this bridge will be accessable from -

### the internet

### Currently this needs 4 taps

tuntap_dmzbridgetap1="tap"

tuntap_dmzbridgetap2="tap"

tuntap_dmzbridgetap3="tap"

tuntap_dmzbridgetap4="tap"

config_dmzbridgetap1="null"

config_dmzbridgetap2="null"

config_dmzbridgetap3="null"

config_dmzbridgetap4="null"

iproute2_dmzbridgetap1="group kvm"

iproute2_dmzbridgetap2="group kvm"

iproute2_dmzbridgetap3="group kvm"

iproute2_dmzbridgetap4="group kvm"

bridge_dmzbridge="dmzbridgetap1 dmzbridgetap2 dmzbridgetap3 dmzbridgetap4"

config_dmzbridge="null"

rc_net_dmzbridge_need="net.dmzbridgetap1 net.dmzbridgetap2 net.dmzbridgetap3 net.dmzbridgetap4"

bridge_forward_delay_dmzbridge=0

bridge_hello_time_dmzbridge=1000

## Local Switch

### Systems behind this switch are not accessible from the internet

### Currently requires 1 physical and 7 taps

tuntap_locbridgetap1="tap"

tuntap_locbridgetap2="tap"

tuntap_locbridgetap3="tap"

tuntap_locbridgetap4="tap"

tuntap_locbridgetap5="tap"

tuntap_locbridgetap6="tap"

tuntap_locbridgetap7="tap"

config_locbridgetap1="null"

config_locbridgetap2="null"

config_locbridgetap3="null"

config_locbridgetap4="null"

config_locbridgetap5="null"

config_locbridgetap6="null"

config_locbridgetap7="null"

iproute2_locbridgetap1="group kvm"

iproute2_locbridgetap2="group kvm"

iproute2_locbridgetap3="group kvm"

iproute2_locbridgetap4="group kvm"

iproute2_locbridgetap5="group kvm"

iproute2_locbridgetap6="group kvm"

iproute2_locbridgetap7="group kvm"

bridge_locbridge="eno2 locbridgetap1 locbridgetap2 locbridgetap3 locbridgetap4 locbridgetap5 locbridgetap6 locbridgetap7"

config_locbridge="null"

rc_net_locbridge_need="net.eno2 net.locbridgetap1 net.locbridgetap2 net.locbridgetap3 net.locbridgetap4 net.locbridgetap5 net.locbridgetap6 net.locbridgetap7"

bridge_forward_delay_locbridge=0

bridge_hello_time_locbridge=1000

## Windows Switch

### This switch is used for windows machines and any supporting systems

### Currently requires 1 physical and 1 tap

tuntap_winbridgetap1="tap"

config_winbridgetap1="null"

iproute2_winbridgetap1="group kvm"

bridge_winbridge="eno3 winbridgetap1"

config_winbridge="null"

rc_net_winbridge_need="net.eno3 net.winbridgetap1"

bridge_forward_delay_winbridge=0

bridge_hello_time_winbridge=1000

```

[EDIT]

QEMU/KVM is using the e1000 network driver for the guest OS. 

[/EDIT]

No other configuration has been done. 

My primary concern is keeping the host secure. I think what worries me the most is that the bridges and taps are not physical. I do not know what the they are doing underneath and how/if any implication to the host, where a configuration mistake might cost me in security. 

Would you change anything? Add anything?

PfSense rules are not within the scope of this post. 

I thank you for your time.

----------

