[opensuse] Re: [opensuse-security] Can vmware network interfaces be controlled through susefirewall?
On Saturday 23 June 2007, Carlos E. R. wrote:
(I'm new to vmware)
vmware server created two interfaces, vmnet1 and vmnet8 - the task of each one I have not clear -. The thing is, the hosted system (virtual machine) does have network access (I told it to use Nat), but I don't really know how, and whether it is protected by the firewall.
Of course, if there is a nice, easy to read, howto, just tell me :-)
If you use nat it is protected by the firewall, protected in the sense that unless you go in and specifically configure a routing, no inbound connections will be forwarded to the virtual machine. So its just like being behind a router. You can establish outbound connection in the virtual machine using just about any package (web browser, telnet, ssh, email, etc). Its just like having a machine behind a little hardware router. Until or unless you open any inbound ports you are pretty well protected. If you wanted to run a ssh SERVER in a virtual machine, using nat you would have to go to /etc/vmware/vmnet8/nat and edit nat.conf to include a line something like this: [incomingtcp] # SSH 8889 = 192.168.90.128:22 This would accept inbound connections on port 8889 and route them to the virtual machine on port 22. You will then restart vmware, and as root in the host, you will see with netstat -anp that vmmet-natd is listening on port 8889 for you. If you do not need inbound connections, you don't have to do any of this. Warning: Anytime you update vmware, it has a habit of stomping all over your nat.conf so MAKE A BACKUP copy. -- _____________________________________ John Andersen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2007-06-23 at 10:52 -0800, John Andersen wrote:
On Saturday 23 June 2007, Carlos E. R. wrote:
(I'm new to vmware)
vmware server created two interfaces, vmnet1 and vmnet8 - the task of each one I have not clear -. The thing is, the hosted system (virtual machine) does have network access (I told it to use Nat), but I don't really know how, and whether it is protected by the firewall.
Of course, if there is a nice, easy to read, howto, just tell me :-)
If you use nat it is protected by the firewall, protected in the sense that unless you go in and specifically configure a routing, no inbound connections will be forwarded to the virtual machine.
Ah, right. I was a bit fuzzy about it.
So its just like being behind a router. You can establish outbound connection in the virtual machine using just about any package (web browser, telnet, ssh, email, etc). Its just like having a machine behind a little hardware router. Until or unless you open any inbound ports you are pretty well protected.
Good. :-) So the windows virtual machine can be considered "safe". You see, one of the reasons to try vmware is to avoid needing to boot windows just to use a single app. Knowing that it can be kept fairly safe is an added bonus.
If you wanted to run a ssh SERVER in a virtual machine, using nat you would have to go to /etc/vmware/vmnet8/nat and edit nat.conf to include a line something like this: [incomingtcp] # SSH 8889 = 192.168.90.128:22
This would accept inbound connections on port 8889 and route them to the virtual machine on port 22.
Ah, good to know, but I don't intend doing such things. Not for now, at least, but knowledge is always a good thing.
You will then restart vmware, and as root in the host, you will see with netstat -anp that vmmet-natd is listening on port 8889 for you.
If you do not need inbound connections, you don't have to do any of this.
Right.
Warning: Anytime you update vmware, it has a habit of stomping all over your nat.conf so MAKE A BACKUP copy.
Ha! Good to know. Yes, I backup the whole /etc, so that part is saved already. What about the existing virtual machines, will I have to remake them? I'd better save an image, just in case. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGfYNHtTMYHG2NR9URAqB8AJ9p/FUfv6cWN85j67j9jzYp02EvDACdEzNc 0BX+tAndVSJMa7Ha9lqrmYs= =9oZd -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Saturday 23 June 2007, Carlos E. R. wrote:
What about the existing virtual machines, will I have to remake them? I'd better save an image, just in case.
No, vmware does not touch existing Virtual machines when updates are applied to Vmware itself. That's not to say that you might not to run an upgrade process in the virtual machine, but this is usually just as simple as installing vmware tools again. I'm sitll using virtual machines I created under Vmware 3.x. (This under Vmware Workstation. I also run Vmware Server (free) to host virtual machines on our company's Linux server, for applications that have to run in Windows. Like someone said on another thread - its like rubber gloves for Windows. (Another latex article comes to mind....). -- _____________________________________ John Andersen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
Carlos E. R.
-
John Andersen