[plug] Firewalling virtual machines
Dean Bergin
dean.bergin at gmail.com
Tue Nov 29 20:23:21 AWST 2016
Hello Brad,
Thanks for sharing that.
I have renewed faith in being able to safely run the newer generations of
microsoft operating systems if needed with some more assurance towards
blocking things like telemetry etc.
Out of curiosity, do you allow any of the windows VM's to auto-update? I
would be interested in a targeted solution to block telemetry, and other
"phone-home" mechanisms at a firewall level, while only allowing local or
specific subnets as well as automatic updates somehow.
On Tue, Nov 29, 2016 at 4:05 PM Brad Campbell <brad at fnarfbargle.com> wrote:
> G'day All,
>
> For years now I've been running Windows in various VM's. These generally
> have access to the local network but are prevented from interacting with
> the world by blocking them at the firewall.
>
> This has the unfortunate side effect of apps trying to phone home, being
> able to resolve names but then eventually having connections time out.
> This is something I've not looked into but been progressively annoyed by
> as time passed.
>
> This afternoon I was sufficiently motivated to have a look at the
> problem and found that 99.9% of these are http or https requests that
> sit and time out. Having an apache server on the network already for
> mrtg and cacti, I did a transparent redirect on the VM traffic so
> anything http or https got redirected to the local apache server which
> quickly answered with a 404.
>
> This made _all_ the delays go away instantly and my applications are now
> much more responsive because they get an instant reply. As an added
> bonus for information, the apache logs give me the url's they are trying
> to contact.
>
> Of course I might have been able to do the same thing by rigging
> iptables to reject the connection rather than have it drop the packets,
> but this was quick, easy and worked.
>
> Regards,
> Brad
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
>
--
Kind Regards,
*Dean Bergin*.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20161129/895913a0/attachment.html>
More information about the plug
mailing list