Menu
▾
▴
colinux-devel
|
From: Clemmitt M. S. <sig...@bl...> - 2004-03-23 19:40:38
|
Hey, On Tue, 23 Mar 2004 ch...@to... wrote: > Disclaimer: IANAMCSE and IANAcLD > If the bridging is setup correctly then only the ethernet level of the > stack should be used for the unfiltered data because windows does not > have an address on the physical lan all TCP/IP trafic will be filtered. You're right! I didn't look at it the right way, now did I? :^P Didn't think about bridging. I'm very NAT-centered.... I've never done the "filtering bridge" setup before. But it's a thoroughly cool method. If you haven't heard about it, here's a decent page Google coughed up: http://ezine.daemonnews.org/200211/ipfilter-bridge.html and there are plenty more out there about configuring xBSD as a filtering bridge. In short, (I hope I'm summarizing this correctly, please correct me if I'm not) this is a network box configured without an IP address on either its up- or down-stream interfaces. This means it's more or less "invisible" but still filters packets. Keeps crackers from knowing it's there, and makes it very difficult to break into as well. If Windows can work in a similar way, bridging without an IP address on its outside Network Connection, this would eliminate a significant vulnerability space and might just do what you want. Anyone else out there know if this is possible (IANAMCSE, either :^)? Clemmitt |
|
From: Hugo C. <hu...@hu...> - 2004-03-24 00:34:48
|
Hi I agree that having colinux provide firewall and packet shaping for a hos= t machine may seem a bit cumbersome. However the consumer level firewalls= for windows that i've tried (many) are extremelly buggy, to the point of= not following the rules reliably! They also enjoy that lovelly feature t= hat if one day your registry wakes un in a bad mood, they will forget the= ir rules and either block it all or allow it all. Packet-Shaping is _unhe= ard of_ in those kinds of products. With the growing popularity of both f= ilesharing and VOIP a solution like this seems to have its problem waitin= g for it already. Why should you have to yell at your daughter to turn of= kazza because grandma called your VOIP line? Damm, i have to turn off my= filesharing clients to browse the web sometimes. Not to mention that the= extremelly high number of connections opened by filesharing shows the gl= aring memory leaks of modern consumer-level win32 firewalls. It goes around. My idea with this post was to get help with the right con= figuration for this specific aplication, but also to start a little brain= storming. I read in the list about the (amazingly few!) technical problem= s and bugs with colinux but not about it's real applications. I think thi= s software is an amazing idea and execution. It brings the best of 2 worl= ds, together, for free. You don't see that every day. There's gotta be so= mething more interesting to do with colinux than to install windows under= vmware under colinux under windows and laugh maniacally. Sorry for the long non-technical post - i started this discussion in the = Help forum but it was only in this list that i got replies. Hugo > sorry Clemmitt I Just re: to you first time meant to re: all > > Disclaimer: IANAMCSE and IANAcLD > If the bridging is setup correctly then only the ethernet level of the > stack should be used for the unfiltered data because windows does not > have an address on the physical lan all TCP/IP trafic will be filtered.= > > But Clemmitt's point is valid because there could be non TCP/IP > holes such > as netbeui or any other network layer protocols that are left open on > windows or a carefully formed TCP/IP packet that could exploit a > flaw in > the lower layers and also any raw ethernet holes that there may be in > windows. Long story short this would not be any better than any > other host > based firewall except for maby a lot more flexability. Other windows > specific host based firewalls probably take the fact that they are > running > on windows and at least holler at you if netbeui or something else > is on. > > chris > |
|
From: <ch...@to...> - 2004-03-24 11:48:13
|
Some days this still is enough for me. But my ultimate goal is to get the instance of vmware that is hosting windows To run on the coLinux that is being hosted by that instance of windows. Then remove the hardware altogether ;) chris > There's > gotta be something more interesting to do with colinux than to install > windows under vmware under colinux under windows and laugh maniacally. > |
|
From: tei <42...@in...> - 2004-03-24 21:12:02
|
<offtopic crap's> run coLinux under coWindows under a emulated Mac OS/X86 under Bochs compiled for my GPU Ati Radeon 8600 XT has a pixel shader hack OpenGL compatible. just kidding :D </> ch...@to... escribió: > Some days this still is enough for me. But my ultimate goal is to get the > instance of vmware that is hosting windows To run on the coLinux that is > being hosted by that instance of windows. Then remove the hardware > altogether ;) > > chris > > >> There's >>gotta be something more interesting to do with colinux than to install >>windows under vmware under colinux under windows and laugh maniacally. >> |
|
From: <ch...@to...> - 2004-03-23 19:58:41
|
I did not mean so much a filtering bridge like that just a virtual layer2 bridge between the physical card and eth0 with a public ip on eth0 then a full TCP/IP connection between eth0:1 and a second tap with private addresses. But the filtering bridge may be possible as well. Dependending on how the ISP is set up nothing should be coming down the pipe but TCP/IP but you never know. netbeui is unroutable so the attacker would have to be on your side of any router.(or have a way of getting there) A Linux box with IPTables setup would be just as vunerable if it had an IPX stack or a HyperSCSI driver. (scsi over raw ethernet like iSCSI but without the TCP/IP overhead) That is why a dedicated firewall is always best. With a little carefull setting up of windows It should be good enough security chris > Hey, > > On Tue, 23 Mar 2004 ch...@to... wrote: >> Disclaimer: IANAMCSE and IANAcLD >> If the bridging is setup correctly then only the ethernet level of the >> stack should be used for the unfiltered data because windows does not >> have an address on the physical lan all TCP/IP trafic will be filtered. > > You're right! I didn't look at it the right way, now did I? :^P > Didn't think about bridging. I'm very NAT-centered.... > > I've never done the "filtering bridge" setup before. But > it's a thoroughly cool method. If you haven't heard about it, > here's a decent page Google coughed up: > > http://ezine.daemonnews.org/200211/ipfilter-bridge.html > > and there are plenty more out there about configuring xBSD as a > filtering bridge. In short, (I hope I'm summarizing this correctly, > please correct me if I'm not) this is a network box configured > without an IP address on either its up- or down-stream interfaces. > This means it's more or less "invisible" but still filters > packets. Keeps crackers from knowing it's there, and makes > it very difficult to break into as well. > > If Windows can work in a similar way, bridging without an IP address > on its outside Network Connection, this would eliminate a significant > vulnerability space and might just do what you want. Anyone else > out there know if this is possible (IANAMCSE, either :^)? > > Clemmitt |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X