LXC Container Overview
LXC (or "Linux containers") is a virtualization method that allows Linux to launch virtual machines with very minimal overhead. In NG Firewall, this can be very useful in some scenarios. This allows you to easily instantiate a new virtual host on the network to use for testing. NG Firewall will process the LXC container's traffic just like any regular host on the Internal network.
Lets say you are offsite and someone calls you and claims that they can not reach a website. Often one of the tests I will do is test if the website is reachable at all from that location. I can SSH to NG Firewall and do a simple wget http://example.com to verify that NG Firewall itself can reach the website. However, if NG Firewall can reach the website but the user still can't then you still have to determine where the issue is occurring.
However, there is no easy way to test "from behind" NG Firewall like the user is doing. So often you end up walking them through how to give you remote access so you can see it for yourself. This will allow you to run tests "from behind" NG Firewall and see if the sessions are going to the correct policy, and being filter appropriately, etc.
With LXC, you can instantiate an new virtual machine in the NG Firewall itself, that is effectively an internal host on the network. This allows easy processing of network traffic *through* the NG Firewall server without having to setup remote access to a real internal host.
To start the LXC container simply run:
The first time you run this command it will initialize the LXC disk image from scratch and it will need to download some utilities from the web so NG Firewall must be online. This will start the VM and start some very basic services (like SSH).
You can SSH to the VM at this point, but you likely haven't set a password. So the easier way to access it is via "attaching" to the terminal. To do this run:
This will give you a shell in the LXC container. Any commands run from here would be just like running from a physical machine on the internal network. As such you can test your NG Firewall configuration with normal commands:
Once your testing is complete the LXC container can be stopped with:
Make sure you stop the LXC container because it is technically a host on the internal network and by default will be reachable by other internal hosts.
The LXC container/VM actually has an address of 192.0.2.2. The NG Firewall is its default gateway and NG Firewall has an address of 192.0.2.1
All sessions from the LXC will appear to be from 192.0.2.2
The LXC container isn't actually on the "Internal" network - its on its own virtual network internal to the NG Firewall server. However, for testing of policy and configuration we make the LXC container appear as if its coming from the "Internal" network. There is a setting "lxcInterfaceId" in the network settings that determines which interface the LXC container "lives" on. The default is 0, which is the first non-WAN interface. You can set it to a specific interface if desired.
The ATS suite can leverage the LXC container just like a normal host. The LXC container is configured by default with all the tools necessary to run the test suite.
After starting the LXC container, You can specify the LXC container using the -h argument
/usr/share/untangle/bin/ut-runtest -h 192.0.2.2
192.0.2.2 is now the default if no host is specified so you can also just run all the tests with: