Viewing posts for the category Omarine User's Manual

Building a fault-tolerant firewall system with virtual machines: Creating virtual machine with qemu

For secure purpose, do not run qemu as root. However, there are situations where the virtual machine creation process is forced to use root privileges. This should be controlled and considered empowering decision-making for the admin and  the security policy.
When qemu runs the bridge helper program to create tap devices that require root privileges, which defaults to the binary /usr/libexec/qemu-bridge-helper, this binary can be run as root because it is set uid root

The snapshot above shows that only users in the kvm group can use the helper program. Furthermore, the helper program can only run if the administrator configuring to allow access for the corresponding bridge devices in the /etc/qemu/bridge.conf configuration file.
It's not enough. In terms of security, the qemu-bridge-helper binary has the type virt_bridgehelper_exec_t. It will run in the virt_bridgehelper_t domain and is able to open /dev/net/tun only if the following rule is included in the security policy:

Building a fault-tolerant firewall system with virtual machines: Creating disk image

Each virtual machine needs a disk image containing the operating system. We have three virtual machines so we need three disk images. However, just create one image and then make copies of the other two.

Creating partitions and filesystem on disk
An operating system generally needs one root partition and one swap partition. We practice on a USB stick or a USB hard disk. Assuming the device name is /dev/sdb. The commands below create a 10G root partition (exactly, minus the first 1M on disk) and a 2G swap partition, and create the root filesystem on the root partition

Building a fault-tolerant firewall system with virtual machines: Creating bridge devices and tap interfaces

The tap network backend is the most appropriate configuration option in qemu for us to create network interfaces for virtual machines because virtual ethernet interfaces created in such a way are considered as normal ethernet devices without any restriction. We also need bridge devices to connect the interfaces in the networks.
By design, a bridge device is used to attach ethernet interfaces at its bridge ports. The bridge device then becomes a logically large ethernet interface consisting of a bunch of attached ethernet interfaces. The bridge is addressed instead of the ethernet interfaces participating in the bridge. In this case the bridge becomes a gateway to the network of the participating ethernet interfaces. But our firewall system does not use such functionality.

Non-grounding bridge solution

Building a fault-tolerant firewall system with virtual machines: Introduction

Combining netfilter connection tracking tool conntrackd with HA (High Availability) service using keepalived we can build a fault tolerant firewall system. With qemu and spice, the system is built based on virtual machines that are almost as friendly as the physical ones. Users can use virtual machines remotely via the spice protocol and can perform copy and paste operations between virtual machines and the real machine and between virtual machines. We can also redirect USB from the real machine to the virtual machine and then use the USB devices on the virtual machine with the feeling of using them on a physical machine.
This series of articles introduces building and running a fault-tolerant firewall system through a real-world example. Among them are techniques for creating virtual network interfaces, designing virtual machines using qemu command input parameters, accessing and using remote virtual machines using spice, running spice agent on virtual machines to communicate with spice server on the host, configuring X to use the qxl video driver on the virtual machines, configuring network interfaces using systemd, routing, network address translation , configuring HA and running keepalived on the firewall machines, integrating conntrackd into the system and running conntrackd.service on firewall machines, etc. Finally, a set of stateful packet filtering rules are set up, precise to each specific network interface on the firewall machines to specify which services the client is allowed to access on the server.
In the figure below, when the machine client wants to access any service on the server omarine every packets must go through a firewall system consisting of two machines fw-1 and fw-2. This is the primary/backup model of the HA system. Only one firewall machine at a time is responsible for packet filtering. If fw-1 starts first it will be the primary firewall, machine fw-2 is the backup. When the client accesses omarine, a packet with a destination address of will go out at the interface eth0. It goes through the bridge br1 and then to the firewall fw-1 at the interface eth1. The packet does not go inside the firewall machine but is forwarded from the eth1 interface to eth0 interface. The packet filtering rule set is active from the moment eth1 receives the packet. It will decide to allow or drop the packet on the floor. If accepted, the packet is sent from the firewall's eth0 interface, across the bridge br0, and then into omarine at the eth0 interface

Although the firewall fw-2 does not perform packet filtering, it is replicated conntrack states through the eth2 interfaces between two firewalls connected via the br2 bridge.
If the firewall fw-1 fails, the firewall fw-2 immediately becomes active. Because of its full packet filtering tracking states, the firewall fw-2 from the moment of handover is able to distinguish a connection as established or a new one, and becomes primary firewall effectively

Here is a series of snapshots from the actual activity

I Ching Algorithm: Construction of Apparent Stems and Branches – Season coordinate system and Nine Stars of the Day

The Nine Stars of the Day starts from the first day of the Stems and Branches era, which is the day of the Jia-Rat. Like the Nine Stars of the Hour, the Nine Stars of the Day are also divided into two periods of the year. In the first six months of the year, from the Winter Solstice period, the yang qi goes up, so the Nine Stars goes forward, that is, in the increasing direction of the number of Luoshu, starting from White One - Water Star. In the last six months of the year, from the Summer Solstice period, the yin qi goes down and the Nine Stars goes backward, starting from the Burgundy Nine - Fire Star. Six months is equivalent to 180 days, ie three rounds of the Jia-Rat, so in the last six months the Nine Stars also starts from the day of the Jia-Rat.
The Nine Stars of the Day must satisfy the following requirements:
     • Going forward from Winter Solstice to the end of "Grain in ear" period and going backward from Summer Solstice until the end of Great Snow period.
     • The Nine Stars must move around continuously. For example, from 5-Yellow must go up to 6-White or go down to 4-Green throughout the year.
     • There must be a reasonable continuity when changing periods from "Grain in ear" to Summer Solstice in the year and from Great Snow at the end of this year to the Winter Solstice at the beginning of the next year.
However, the problem arises because a year has 365 days or 366 days, not even 360 days for two regions of yang and yin qi. The first day of the Winter Solstice is not the day of the Jia-Rat.
This year's Winter Solstice is the Day of the Wu-Dog, nearly a month away from the Day of the Jia-Rat. If the Nine Stars is allowed to move continuously, it is unacceptable for the two regions of yang and yin qi to be encroached on each other for about a month.
Current books also give a way to look up the Nine Stars by starting the day of the Jia-Rat according to the weather periods. For example, Summer Solstice starts the day of the Jia-Rat from 9-Burgundy, and the "Heat ends" starts the day of the Jia-Rat from 3-Blue. It is now "Autumn starts" period. On August 23, it is time to enter the "Heat ends" period. August 23 is the day of the Gui-Rabbit, starting the Jia-Rat from 3-Blue, the Nine Stars goes backwards, so the day of the Gui-Rabbit has the qi field of 9-Burgundy. One day back is the day of the Ren-Tiger, this day is still in the "Autumn starts" period, which is the period from the Summer Solstice to the end of "Autumn starts", so taking the Summer Solstice starting the day of the Jia-Rat from the 9-Burgundy, inferring the day of the Ren-Tiger is 7-Red. Ren-Tiger and Gui-Rabbit are two consecutive days, the qi field cannot jump from 7-Red to 9-Burgundy!
The reason the current calculation of the qi field is not correct is because the current Stems and Branches system cannot be used as the coordinate system of the qi field space.

1) Immobilization of the transition qi field
While walking, if you want to go back, you have to stop first. The curve of a function goes up when the derivative is positive. Before going down to the negative derivative, it must pass through the maximum point at which the derivative is zero, where the function value is constant.
Nine Stars goes from the Winter Solstice with the 1-White qi field in the Yang qi region, after 180 days, it reaches the 9-Burgundy qi field on the last day of the "Grain in ear" period. It must keep the 9-Burgundy in order to transition to the Yin region starting from the Summer Solstice period