[plug] Firewalling virtual machines

Brad Campbell brad at fnarfbargle.com
Tue Nov 29 22:35:26 AWST 2016

On 29/11/16 21:21, Thomas Cuthbert wrote:
> This does look cool - if you ever get a chance to test graphics passthru
> let me know. I have been wanting to concurrently run my gaming rig and
> linux workstation for a few years now but the technology just hasn't
> been there (or at least in a non-complicated way)

I toyed with PCIe passthrough on an old AMD GPU a few years ago, but I 
didn't really have a use case for it as I haven't played a game since 
"The Incredible machine 1 & 2" and they run great in dosbox.

I'm waiting for the new Intel GPU acceleration passthrough to mature as 
a number of packages I test would benefit from h264 decode offload on 
anything newer than an intel 3xxx cpu.

As for windows, no I don't generally install updates and I sure as heck 
don't ever let anything auto-update. I have installed service packs from 
time to time, but purely as a manual download/install.

I tend to use Windows VM's as a means to run one or more specific pieces 
of software, and as such I'm not worried about updates or getting infected.

There are a couple of pretty good block lists for proxies to block 
Windows telemetry, but you can't really block telemetry and allow 
auto-update as they seem to have some common servers in there. If you 
block telemetry Windows will try a plethora of different servers and 
urls to try and get around the block, and by the time you've finished 
the game of 'whack-a-mole' you've blocked most of Microsoft and a whole 
heap of domains you never knew they owned.

I've looked at the whitelist-only proxy idea, but there is currently 
nothing I need to access from any isolated machines so it's a long way 
down the list. If I were to do it I'd use privoxy.

I do run squid as a general proxy and that has a pretty long blacklist 
(including all the known MS telemetry domains) to prevent ios devices or 
windows machines getting updates or phoning home. VM's are strictly 
contained and completely isolated from the proxy also (as are my Chinese 
CCTV cameras).

Dolphins are so intelligent that within a few weeks they can
train Americans to stand at the edge of the pool and throw them

More information about the plug mailing list