colinux-devel

[coLinux-devel] A different networking config...

[Hugo C. <hu...@hu...>]

Hi, i've been playing with CoLinux and i've been thinking about how one w=
ould configure a windows-colinux with a single public IP so that the publ=
ic IP was assigned to colinux. Then it (colinux) would share (NAT) intern=
et access to windows. That would effectivelly provide a Linux Firewall, w=
hich can be configured with fun things like packet shaping and all, in a =
Windows box with (i believe) little overhead for normal DSL/Cable speeds.=
 Having a computer services company of my own i could see myself selling =
some form of this solution. Any ideas?

Re: [coLinux-devel] A different networking config...

[<ch...@to...>]

This may be possible. I do not think that it is possible to have more than
1 virtual nic on coLinux yet but It probably does not matter because you
are not limited by the speed of the hardware. So an alias on the 1 nic is
probably good.
ifconfig eth0 realPublicIpAddress netmask .....
ifconfig eth0:1 192.168.0.1
enable everything to foreward for now

setup 2 TAP interfaces on windows one to do an native bridge to eth0 and
the other to eth0:1 and only give windows a 192.168.0.? address and setup
192.168.0.1 as the windows gateway.

You may want to try to create an image of smoothwall or another router
type distro to make things easy you want to be able to toggle easily
between pass everything and block everything while trying to get this
configured

check out some of the howto's on tldp.org for some networking info

just making some guesses here I have not tried any of this

chris

> Hi, i've been playing with CoLinux and i've been thinking about how one
> would configure a windows-colinux with a single public IP so that the
> public IP was assigned to colinux. Then it (colinux) would share (NAT)
> internet access to windows. That would effectivelly provide a Linux
> Firewall, which can be configured with fun things like packet shaping and
> all, in a Windows box with (i believe) little overhead for normal
> DSL/Cable speeds. Having a computer services company of my own i could see
> myself selling some form of this solution. Any ideas?
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id70&alloc_id638&opïick
> _______________________________________________
> coLinux-devel mailing list
> coL...@li...
> https://lists.sourceforge.net/lists/listinfo/colinux-devel
>

Re: [coLinux-devel] A different networking config...

[Clemmitt M. S. <sig...@bl...>]

Hi,

On Tue, 23 Mar 2004, Hugo Campos wrote:
> Hi, i've been playing with CoLinux and i've been thinking about how one
> would configure a windows-colinux with a single public IP so that the
> public IP was assigned to colinux. Then it (colinux) would share (NAT)
> internet access to windows. That would effectivelly provide a Linux
> Firewall, which can be configured with fun things like packet shaping
> and all, in a Windows box with (i believe) little overhead for normal
> DSL/Cable speeds.

I think Chris's earlier post sounds like something neat to try.  But
I'll repeat what I said on the Help forum FWIW.

Disclaimer: IANAcLD.  Windows is the host OS for coLinux.  To access the 
coLinux network functionality, the packets have to pass through the 
Windows network stack first.  So I don't think it's possible for a coLinux 
installation to filter the incoming packets for the instance of Windows 
it's running on.

But I think Chris has a good point.  If what you want is packet shaping
or filtering of Windows user traffic, his idea sounds like an excellent
place to start.  I don't think this will protect against an attack 
that exploits network-related holes in Windows.

If I've got this wrong, someone please correct me!

					Clemmitt

Re: [coLinux-devel] A different networking config...

[<ch...@to...>]

sorry Clemmitt I Just re: to you first time meant to re: all

Disclaimer: IANAMCSE and IANAcLD
If the bridging is setup correctly then only the ethernet level of the
stack  should be used for the unfiltered data because windows does not
have an address on the physical lan all TCP/IP trafic will be filtered.

But Clemmitt's point is valid because there could be non TCP/IP
holes such
as netbeui or any other network layer protocols that are left open on
windows or a carefully formed TCP/IP packet that could exploit a
flaw in
the lower layers and also any raw ethernet holes that there may be in
windows. Long story short this would not be any better than any
other host
based firewall except for maby a lot more flexability. Other windows
specific host based firewalls probably take the fact that they are
running
on windows and at least holler at you if netbeui or something else
is on.

chris

> Hi,
>
> On Tue, 23 Mar 2004, Hugo Campos wrote:
>> Hi, i've been playing with CoLinux and i've been thinking about
how one
>> would configure a windows-colinux with a single public IP so that
the
>> public IP was assigned to colinux. Then it (colinux) would share
(NAT)
>> internet access to windows. That would effectivelly provide a Linux
>> Firewall, which can be configured with fun things like packet
shaping
>> and all, in a Windows box with (i believe) little overhead for
normal
>> DSL/Cable speeds.
>
> I think Chris's earlier post sounds like something neat to try.  But
> I'll repeat what I said on the Help forum FWIW.
>
> Disclaimer: IANAcLD.  Windows is the host OS for coLinux.  To
access the
> coLinux network functionality, the packets have to pass through the
> Windows network stack first.  So I don't think it's possible for a
coLinux
> installation to filter the incoming packets for the instance of
Windows
> it's running on.
>
> But I think Chris has a good point.  If what you want is packet
shaping
> or filtering of Windows user traffic, his idea sounds like an
excellent
> place to start.  I don't think this will protect against an attack
> that exploits network-related holes in Windows.
>
> If I've got this wrong, someone please correct me!
>
>                                         Clemmitt
>
>