Friday, August 19, 2022

Virtual Transparent Firewall not working

I have been successfully using a pfSense community edition firewall to protect my home test lab.  My local ISP delivers me a subnet of addresses directly so I need to leverage a transparent firewall or "bridge" to protect the lab.  After rebuilding a few pieces of the lab I restored my pfSense configuration to a new host/VM and found that no traffic was passing.  I did a packet capture and did not see any communication traffic.  I thought that *something* must be blocking the traffic before it gets to the pfSense transparent firewall VM.  A lightbulb went off in my head back to my VMware architecture days about the 3 security settings you can set on a virtual network switch, promiscuous mode being the easiest to remember.  I played with turning these on/off 1 by 1 and found I needed both Promiscuous mode and Forged transmits security turned off (Setting to Accept) for this pfSense transparent firewall VM to operate correctly.  Obviously turning these features off does open your ESX Host up to accepting more (possibly malicious) packets, but the ESX host is simply passing the packets along to the VM(s) attached to that Network on the host.  You can limit your exposure by only having a single VM on that host's "raw internet" network and a  single (same) VM attached to the inside "filtered internet" network.   Assuming you trust pfSense to do its job, turning off these features should work for most home use cases.

Thursday, February 3, 2022

yum update failing on Google Cloud VM

 I use google cloud's smallest VM for hosting my own DNS servers.  I use the f1-micro instances that are very limited in memory and cpu, but cheap!

During a regular yum update I received the following error and my instance (VM) failed to reboot.

During the Cleanup part of yum update the google-cloud-sdk gave me this error:

/var/tmp/rpm-tpm.rdz2f9: line 4: 11963 Killed gcloud components post-process --force-recomplile warning: %postrun(google-cloud-sdk-360.0.0-1.x86_64) scriptlet failed, exit status 137 Non-fatal POSTUN scriptlet failure in rpm package google-cloud-sdk-360.0.0-1.x86_64

I read on this post - that this person had the same issue to due using the smallest GCP instance size, but they chose to stop some processes to free up memory before they did an update.

My resolution was to first build a new VM with a previous snapshot of the VM before it was messed up by the update.

Just for good measure I did some yum cleanup with yum-utils before anything else, then update the single google-cloud-sdk, before updating the rest without error.

sudo yum install yum-utils

sudo package-cleanup --dupes --noplugins

sudo yum clean all

sudo yum clean dbcache (probably redundant)

sudo yum update google-cloud-sdk (this took a long time)

sudo yum update (update all the other pieces)

After this everything was happy!