Ok, I admit this part took a while longer to write than I originally planned, but this is here now and that’s what matters, maybe. This post was supposed to be more like a configuration guide, but as so much time has passed this turned out to be just reflection. In the previous part I talked a bit about the Usva’s initial hardware related issues so now it’s turn for software.
* * *
As usva would be primarily a virtualization platform, all it really needs is a flexible firewall, a virtual machine manager and some sensors. Debian and KVM itself installed without a hitch, but getting all the other things to work properly was bit of a chore.
First to be configured was shorewall; it’s rules and bridge groups. The plan was to have three different levels of firewalling. One for local network with no traffic restrictions, one for servers with no direct access to lan and lastly a testing / untrusted network where only a single ip/proto/port-pair was accessible from the VM:s, ideal for VPN-only traffic. All interfaces would share a single NAT’d network connection.
Amazingly the configurations weren’t that hard to implement with a bit of help. But of course there were problems, the bridge groups got cleared on reboot and a file in /etc/networking required some tuning to fix that. Also the nic-driver required some module magic. Oh, and I still haven’t thoroughly understood how to configure shorewall.
* * *
Some while later, when everything was working relatively smoothly I finally got to configuring sensors properly. Initially I had managed to get some readings, but now nothing worked. After a fair bit of googling around and trying to load modules it became clear that a newer kernel was required.
No problem! I’ll just copy this old kernel config and compile with --initrd. Nope! Shorewall required some more exotic switches to work, again! And who would have guessed, almost a whole number bigger kernel version number and I finally got some sweet temperature readings.
* * *
Everything went as expected? Nope.
Usva was supposed to firewall and NAT my entire lan(and server as an IPv6 gateway), but due to either noise or hardware constraints(can’t have both) that is not possible at the moment. That old Cisco 871 must continue it’s 70% of max speed NATting job.
Web server? Still haven’t found the time for configuring, the one in Routa is enough for personal use, www.dea.fi for the rest.
What then? Only a pitiful Minecraft server with technology related mods…