Re: [coLinux-devel] A different networking config...

[<ch...@to...>]

sorry Clemmitt I Just re: to you first time meant to re: all

Disclaimer: IANAMCSE and IANAcLD
If the bridging is setup correctly then only the ethernet level of the
stack  should be used for the unfiltered data because windows does not
have an address on the physical lan all TCP/IP trafic will be filtered.

But Clemmitt's point is valid because there could be non TCP/IP
holes such
as netbeui or any other network layer protocols that are left open on
windows or a carefully formed TCP/IP packet that could exploit a
flaw in
the lower layers and also any raw ethernet holes that there may be in
windows. Long story short this would not be any better than any
other host
based firewall except for maby a lot more flexability. Other windows
specific host based firewalls probably take the fact that they are
running
on windows and at least holler at you if netbeui or something else
is on.

chris

> Hi,
>
> On Tue, 23 Mar 2004, Hugo Campos wrote:
>> Hi, i've been playing with CoLinux and i've been thinking about
how one
>> would configure a windows-colinux with a single public IP so that
the
>> public IP was assigned to colinux. Then it (colinux) would share
(NAT)
>> internet access to windows. That would effectivelly provide a Linux
>> Firewall, which can be configured with fun things like packet
shaping
>> and all, in a Windows box with (i believe) little overhead for
normal
>> DSL/Cable speeds.
>
> I think Chris's earlier post sounds like something neat to try.  But
> I'll repeat what I said on the Help forum FWIW.
>
> Disclaimer: IANAcLD.  Windows is the host OS for coLinux.  To
access the
> coLinux network functionality, the packets have to pass through the
> Windows network stack first.  So I don't think it's possible for a
coLinux
> installation to filter the incoming packets for the instance of
Windows
> it's running on.
>
> But I think Chris has a good point.  If what you want is packet
shaping
> or filtering of Windows user traffic, his idea sounds like an
excellent
> place to start.  I don't think this will protect against an attack
> that exploits network-related holes in Windows.
>
> If I've got this wrong, someone please correct me!
>
>                                         Clemmitt
>
>