[plug] Firewalling virtual machines
Thomas Cuthbert
tcuthbert90 at gmail.com
Tue Nov 29 21:21:18 AWST 2016
This does look cool - if you ever get a chance to test graphics passthru
let me know. I have been wanting to concurrently run my gaming rig and
linux workstation for a few years now but the technology just hasn't been
there (or at least in a non-complicated way)
Regards,
Thomas Cuthbert
On Tue, Nov 29, 2016 at 8:23 PM, Dean Bergin <dean.bergin at gmail.com> wrote:
> Hello Brad,
>
> Thanks for sharing that.
>
> I have renewed faith in being able to safely run the newer generations of
> microsoft operating systems if needed with some more assurance towards
> blocking things like telemetry etc.
>
> Out of curiosity, do you allow any of the windows VM's to auto-update? I
> would be interested in a targeted solution to block telemetry, and other
> "phone-home" mechanisms at a firewall level, while only allowing local or
> specific subnets as well as automatic updates somehow.
>
>
> On Tue, Nov 29, 2016 at 4:05 PM Brad Campbell <brad at fnarfbargle.com>
> wrote:
>
>> G'day All,
>>
>> For years now I've been running Windows in various VM's. These generally
>> have access to the local network but are prevented from interacting with
>> the world by blocking them at the firewall.
>>
>> This has the unfortunate side effect of apps trying to phone home, being
>> able to resolve names but then eventually having connections time out.
>> This is something I've not looked into but been progressively annoyed by
>> as time passed.
>>
>> This afternoon I was sufficiently motivated to have a look at the
>> problem and found that 99.9% of these are http or https requests that
>> sit and time out. Having an apache server on the network already for
>> mrtg and cacti, I did a transparent redirect on the VM traffic so
>> anything http or https got redirected to the local apache server which
>> quickly answered with a 404.
>>
>> This made _all_ the delays go away instantly and my applications are now
>> much more responsive because they get an instant reply. As an added
>> bonus for information, the apache logs give me the url's they are trying
>> to contact.
>>
>> Of course I might have been able to do the same thing by rigging
>> iptables to reject the connection rather than have it drop the packets,
>> but this was quick, easy and worked.
>>
>> Regards,
>> Brad
>> _______________________________________________
>> PLUG discussion list: plug at plug.org.au
>> http://lists.plug.org.au/mailman/listinfo/plug
>> Committee e-mail: committee at plug.org.au
>> PLUG Membership: http://www.plug.org.au/membership
>>
> --
>
> Kind Regards,
>
> *Dean Bergin*.
>
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20161129/b81112f3/attachment.html>
More information about the plug
mailing list