ESXi Harding question for pfSense



  • I'm going through the 6.x hardening doc and it calls for disabling vswitch forged transmits and promiscous mode.
    I'm not (as) concerned about the internal environment, but the on the vswitch and physical NIC plugged into the internet I'm trying to minimize the attack vector as mush as possible.

    The VMWare guide is written with the intent of guarding against attack from any direction, and I'm concerned mainly with sealing the firewall and leaving internal functions as painless as possible to the minimal number of trusted resources, will this cause any noticeable difference when I switch from a hardware instance of pfSense to a virtual one?

    Will NATing at pfSense be affected by rejecting forged transmits?



  • NATing will not be affected by forged transmits. Rejecting forged transmits will not accept packets from the OS for a MAC address that is different than what is configured for the vNIC in ESX.

    For typical router use-cases, promiscuous mode would not be needed either.

    I run a virtualized pfSense firewall with all typical ESXi lockdowns in place with no issues, including the 2 you've mentioned.


  • Rebel Alliance Developer Netgate

    You really only need forged transmits/promisc/MAC changes if you use CARP VIPs or HA with CARP in general. And even then you can make a port group for just the firewall nodes with those active.



  • All the answers above are rights. I just would like to add that if you need some kind of sniffing possibilities, you can add another port in your vswitch with VLAN 4095. Authorized promiscuous mode on this port only. Attach to this lan your sniffing machine in stealth mode and you have some kinds of span port on your switch without allowing all machines to enter promiscuous mode.


Log in to reply