Netgate SG-1000 microFirewall

Author Topic: ESXi Harding question for pfSense  (Read 1061 times)

0 Members and 1 Guest are viewing this topic.

Offline MakOwner

  • Jr. Member
  • **
  • Posts: 48
  • Karma: +0/-0
    • View Profile
ESXi Harding question for pfSense
« on: January 12, 2017, 08:13:39 am »
I'm going through the 6.x hardening doc and it calls for disabling vswitch forged transmits and promiscous mode.
I'm not (as) concerned about the internal environment, but the on the vswitch and physical NIC plugged into the internet I'm trying to minimize the attack vector as mush as possible.

The VMWare guide is written with the intent of guarding against attack from any direction, and I'm concerned mainly with sealing the firewall and leaving internal functions as painless as possible to the minimal number of trusted resources, will this cause any noticeable difference when I switch from a hardware instance of pfSense to a virtual one?

Will NATing at pfSense be affected by rejecting forged transmits?

Offline tortue

  • Newbie
  • *
  • Posts: 22
  • Karma: +3/-0
    • View Profile
Re: ESXi Harding question for pfSense
« Reply #1 on: May 11, 2017, 11:52:10 pm »
NATing will not be affected by forged transmits. Rejecting forged transmits will not accept packets from the OS for a MAC address that is different than what is configured for the vNIC in ESX.

For typical router use-cases, promiscuous mode would not be needed either.

I run a virtualized pfSense firewall with all typical ESXi lockdowns in place with no issues, including the 2 you've mentioned.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21619
  • Karma: +1484/-26
    • View Profile
Re: ESXi Harding question for pfSense
« Reply #2 on: May 17, 2017, 01:35:33 pm »
You really only need forged transmits/promisc/MAC changes if you use CARP VIPs or HA with CARP in general. And even then you can make a port group for just the firewall nodes with those active.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline m3xiz

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: ESXi Harding question for pfSense
« Reply #3 on: June 15, 2017, 08:38:06 am »
All the answers above are rights. I just would like to add that if you need some kind of sniffing possibilities, you can add another port in your vswitch with VLAN 4095. Authorized promiscuous mode on this port only. Attach to this lan your sniffing machine in stealth mode and you have some kinds of span port on your switch without allowing all machines to enter promiscuous mode.