From: Olaf S. <ca...@gm...> - 2008-07-07 19:40:54
|
Hiya I`d like to know your opinion on a following solution: small and basic coLinux debian distro functioning as a virtual router for Windows box running that coLinux. I was inspired by: http://colinux.wikia.com/wiki/Network#Keep_Windows_off_the_network_--_surf_via_Linux Would it be possible to force all Windows traffic to coLinux machine and through it, to Internet? Can we achieve total separation of windows box, like with hardware router box used? Would it be resource-wise in regard of cpu/mem and hdd space usage, comparing to native Windows software firewall/IDS solutions? Kind regards Olaf Siejka 2008/7/7, col...@li... < col...@li...>: > > Send coLinux-users mailing list submissions to > col...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/colinux-users > or, via email, send a message with subject or body 'help' to > col...@li... > > You can reach the person managing the list at > col...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of coLinux-users digest..." > > > Today's Topics: > > 1. port forwarding problem at colinux (Menghan Zheng) > 2. Re: port forwarding problem at colinux > (Josep Maria Antol?n Segura) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 07 Jul 2008 23:26:55 +0800 > From: Menghan Zheng <thu...@gm...> > Subject: [coLinux-users] port forwarding problem at colinux > To: col...@li... > Message-ID: <487...@gm...> > Content-Type: text/plain; charset=GB2312 > > I installed Debian/testing on windows xp sp3 > I config my networks like this: > > on XP: I have a static ip: 59.66.143.127 > on Debian: my /etc/network/interfaces is like: > auto lo > iface lo inet loopback > auto eth0 > iface eth0 inet static > address 192.168.0.40 > netmask 255.255.255.0 > gateway 192.168.0.1 > > I installed virtual network adapter as the tuntap way > eth1=tuntap(from example.conf) > > then all goes well, colinux could connect www.google.com, and my XP can > connect my colinux > But now i have to start a service in my colinux at port 23(you're right, > it's telnet).I want to share the service to the IPs outside my local > machine, > that is to say: ip(59.66.143.126) can telnet my colinux at port 23. > how should i config my colinux network? > > //I'm sorry for my poor English. > > -- > Keep In Touch! > Electronics Engineering Department, Tsinghua University > > Dorm Tel: 8610 5153 4319 > Mobile: 86 13401088180 > MSN: zhe...@ho... > Email: zhe...@gm..., zm...@ma... > > > > > > ------------------------------ > > Message: 2 > Date: Mon, 07 Jul 2008 19:17:29 +0200 > From: Josep Maria Antol?n Segura <ja...@pa...> > Subject: Re: [coLinux-users] port forwarding problem at colinux > To: Menghan Zheng <thu...@gm...> > Cc: col...@li... > Message-ID: <121...@im...> > Content-Type: text/plain; charset=ISO-8859-1 > > Your configuration is a bit unusual, (meaning that some of the solutions do > not > apply to you), yet there are still possibilities: > > First of all, your configuration only allows you to use colinux via NAT, > because > else, you would need a secondary *internet* IP for it. > > Usually, a router would do the NAT for you, so you would redirect packets > entering a specific port to the colinux machine. In your case, you need a > software NAT package installed in Windows, which would then map the ports. > And > you're lucky: there's a mode of colinux that let's you do it: "Slirp". > > http://colinux.wikia.com/wiki/Network#Slirp > > Briefly: you need to specify in the config file, the ports that you need to > access from internet, and configure linux as dhcp (or static, with the info > on > that page) > > Note that the slirp-net-daemon shipped with the current stable release has > a > minor isssue with packets, and there's an updated on on sourceforge > > > http://sourceforge.net/project/showfiles.php?group_id=98788&package_id=107317&release_id=385643 > > -- > _ _ /~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-\ > o o | Josep Ma [JAZ] | > * | ICQ UIN: 7014661 | > `-? | Messenger: ja...@ho... | > \-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~/ > > > > > ------------------------------ > > ------------------------------------------------------------------------- > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! > Studies have shown that voting for your favorite open source project, > along with a healthy diet, reduces your potential for chronic lameness > and boredom. Vote Now at http://www.sourceforge.net/community/cca08 > > ------------------------------ > > _______________________________________________ > coLinux-users mailing list > coL...@li... > https://lists.sourceforge.net/lists/listinfo/colinux-users > > > End of coLinux-users Digest, Vol 27, Issue 3 > ******************************************** > |
From: Henry N. <hen...@ar...> - 2008-07-08 21:32:56
|
Hello Olaf, Olaf Siejka wrote: > I`d like to know your opinion on a following solution: small and basic > coLinux debian distro functioning as a virtual router for Windows box > running that coLinux. I was inspired by: > http://colinux.wikia.com/wiki/Network#Keep_Windows_off_the_network_--_surf_via_Linux > > Would it be possible to force all Windows traffic to coLinux machine and > through it, to Internet? Can we achieve total separation of windows box, > like with hardware router box used? Would it be resource-wise in regard > of cpu/mem and hdd space usage, comparing to native Windows software > firewall/IDS solutions? CoLinux was develop for speed and low recource consumption, not for security. CoLinux self as a Windows application needs access to network in your example. So, if you would allow coLinux the network access, then also all other Windows applications (bad or good) have access to the network in same way. Sure, you can install some tools to allow only coLinux the network access. But, after such setup, you not needs coLinux as firewall. You can than also setup your Firewall to allow only Browser and Mail and so on the internet access. The answer about "force all" traffic to coLinux is no. For your recource questions: A Windwos Firewall and a native Windows-Proxy would better work. Better for the hdd space and cpu load. If you wish totaly security, then only a real outside hardware box (router) can only do it. An other case is, if you would surf with the Linux-Firefox inside the coLinux. This would be mutch saver security. Because this type of using coLinux you are a Linux user and inside a virtual machine. -- Henry N. |
From: Holger K. <hol...@gm...> - 2008-07-10 12:17:10
|
Henry Nestler schrieb: > CoLinux was develop for speed and low recource consumption, not for > security. CoLinux self as a Windows application needs access to network > in your example. So, if you would allow coLinux the network access, then > also all other Windows applications (bad or good) have access to the > network in same way. Sure, you can install some tools to allow only > coLinux the network access. But, after such setup, you not needs coLinux > as firewall. You can than also setup your Firewall to allow only Browser > and Mail and so on the internet access. > > The answer about "force all" traffic to coLinux is no. I dare to disagree. You can do that if you bridge the network card with a tap device and remove any protocol from the bridge. All communcation would go through colinux and get filtered and back to windows through a second tap device. > For your recource questions: A Windwos Firewall and a native > Windows-Proxy would better work. Better for the hdd space and cpu load. Better for hdd space and cpu load, that is true. Not if configurability or centralised configuration comes into play. Having iptables everywhere makes things easier. > If you wish totaly security, then only a real outside hardware box > (router) can only do it. > An other case is, if you would surf with the Linux-Firefox inside the > coLinux. This would be mutch saver security. Because this type of using > coLinux you are a Linux user and inside a virtual machine. Both of that, of course, is right. |
From: David K. <da...@gi...> - 2008-07-10 14:52:59
|
Hi Holger, "Holger Krull" <hol...@gm...> > I dare to disagree. You can do that [force all traffic to go through > coLinux] if you bridge the network card with a tap device and remove > any protocol from the bridge. > > All communcation would go through colinux and get filtered and back > to windows through a second tap device. Could you provide detailed steps on how to do this? I've always been interested in setting up Colinux to be my windows firewall, too. Thanks! -dave |
From: Paolo M. <pao...@gm...> - 2008-07-10 15:01:13
|
Yes, it is very interesting ! Colinux don't touch the system. Perhaps only some small string in the register. I'm interested too ! As I am writing this email, I would like that someone try NUM-LOCK key in colinux-nt console. It take 2 seconds ;=) and 10 seconds to write an email "works" or "does not work" For me it does not work, but It is interesting know if there is the problem also on keyboard with different layout. I use italian layout and I had the problem. I have adjusted it (a little change in the source code) and for me now works OK. Thanks, Paolo |
From: Holger K. <hol...@gm...> - 2008-07-10 23:48:06
|
David Kaufman schrieb: > Hi Holger, > > "Holger Krull" <hol...@gm...> >> I dare to disagree. You can do that [force all traffic to go through >> coLinux] if you bridge the network card with a tap device and remove >> any protocol from the bridge. >> >> All communcation would go through colinux and get filtered and back >> to windows through a second tap device. > > Could you provide detailed steps on how to do this? > > I've always been interested in setting up Colinux to be my windows > firewall, too. Assuming you have colinux up and running on xp with a bridged tap device and an external router for your internet connection and windows and colinux have different ip addresses, you need: 1. Install a second tap device Open shell, cd to your colinux directory\netdriver, do tapcontrol.exe install OemWin2k.inf TAP0801co Answer yes to questions. 2. Check in network configuration that an additional Network device showed up. Open its configuration and unbind everything except tcp/ip. Assign static address (192.168.15.1/255.255.255.0 for example). Don't use a subnet you already have, don't assign a public/routed address. (Windows probably needs to reboot) 3. Change your colinux conf to assign a the second network interface, like: eth0=tuntap,"LAN-Verbindung 3",02:00:00:00:00:02 eth1=tuntap,"LAN-Verbindung 4",02:00:00:00:00:03 You have to change the names of the "Lan-Verbindung X" according to the names in your network config. Make sure you don't change the mac address of you previously existing connection. You need DIFFERENT mac addresses on both tap interfaces. 4. Boot colinux, check if both interfaces exist (ifconfig). 5. Assign a static address to eth1 (the new interface) from the same subnet as your windows tap device (192.168.15.2/255.255.255.0) (restart networking if necessary) 6. Ping the eth1 address from windows, and vice versa. If that doesn't work check network configuration/reboot. 7. Check if internet connection from colinux works (ping a server) 8. Enable routing in colinux echo 1 > /proc/sys/net/ipv4/ip_forward Write that in a local startup file. Maybe boot.local depending on your distro. (Don't know what debian uses these days) 9. Unbind any protocol/service from the tap/ethernet card bridge in windows. 10. Set the colinux address as default router on the tap interface in windows. (you probably need to reboot windows) 11. ping a internet server from Windows 12. Setup iptables. (Depending on your rules disable routing) I recommend installing bind9 on colinux and adding colinux as a nameserver on the windows tap interface. If you don't have a external router doing the internet connection, you need to configure colinux to do that and probably setup nat in colinux. |
From: H. N. <hen...@ar...> - 2008-07-10 16:16:08
|
Hello Holger, Holger Krull wrote: > Henry Nestler schrieb: > > > CoLinux was develop for speed and low recource consumption, not for > > security. CoLinux self as a Windows application needs access to network > > in your example. So, if you would allow coLinux the network access, then > > also all other Windows applications (bad or good) have access to the > > network in same way. Sure, you can install some tools to allow only > > coLinux the network access. But, after such setup, you not needs coLinux > > as firewall. You can than also setup your Firewall to allow only Browser > > and Mail and so on the internet access. > > > > The answer about "force all" traffic to coLinux is no. > > I dare to disagree. You can do that if you bridge the network card with > a tap device and remove any protocol from the bridge. All communcation > would go through colinux and get filtered and back to windows through a > second tap device. Oh, yes. That's a nice idea and would possible. I have forgotten and I was only thinking about typicaly coLinux installation with one tap device. Of corse, it wold be more hardly to setup it in comparsion with ready-to-use firewall setups al "ZoneAlarm". Henry Jetzt komfortabel bei Arcor-Digital TV einsteigen: Mehr Happy Ends, mehr Herzschmerz, mehr Fernsehen! Erleben Sie 50 digitale TV Programme und optional 60 Pay TV Sender, einen elektronischen Programmführer mit Movie Star Bewertungen von TV Movie. Außerdem, aktuelle Filmhits und spannende Dokus in der Arcor-Videothek. Infos unter www.arcor.de/tv |