| 1 |
reader@×××××××.com wrote: |
| 2 |
> Setup: |
| 3 |
> Home Lan with principle desktop machine running Gentoo. |
| 4 |
> Three other machines running WinXP that are a trio of video and sound |
| 5 |
> editing machines. And finally my wifes WinXP machine in antoher room. |
| 6 |
> All connected by Gigabit lan thru a netgear FVP318 router/firewall. |
| 7 |
> |
| 8 |
> I want to begin scanning thru the traffic that bounces off my |
| 9 |
> router/firewall. |
| 10 |
> |
| 11 |
> The router logs themselves are in a bad cumbersom format. And if I |
| 12 |
> use an available option to output them to a lan System logger the |
| 13 |
> information is greatly truncated and nearly useless. |
| 14 |
> |
| 15 |
> Router logs can be emailed but again they are cumbersom and clunky. |
| 16 |
> That how I currently look through them. |
| 17 |
> |
| 18 |
> So cutting to the chase, I don't want to even mess around with those |
| 19 |
> methods. Been there done that... didn't like it. |
| 20 |
> |
| 21 |
> The router has an option to route traffic to a DMZ machine. In the |
| 22 |
> past when I got this same urge 2 or so years ago I setup an Openbsd |
| 23 |
> OS on an older PC. Buttoned it down what little I knew to do and had |
| 24 |
> lots of fun with incoming traffic.... I mean just studying and being |
| 25 |
> amazed etc. |
| 26 |
> |
| 27 |
> I want to do that again but don't have that old machine anymore and |
| 28 |
> don't want the unfamiliar hassle of relearning whatever I knew about |
| 29 |
> OpenBSD. |
| 30 |
> |
| 31 |
> I don't want the hassle of hardening my main desktop... preferring to |
| 32 |
> keep it pretty loose behind the firewall. Running a lan webserver and |
| 33 |
> the like. |
| 34 |
> |
| 35 |
> I wondered if any of the security buffs here could tell me if a vmware |
| 36 |
> gentoo guest running on one of the winXP boxes could be setup to have |
| 37 |
> an independant tap on the Firewall as DMZ and not be offering every |
| 38 |
> hack whiz out there a shot at my home lan. |
| 39 |
> |
| 40 |
> As I remember you can setup vmware with its own network address, not |
| 41 |
> sharing its hosts address to some degree. |
| 42 |
|
| 43 |
Yes, vmware allows you to run it in bridged mode for networking. This |
| 44 |
means that while you just have the one physical network card, it appears |
| 45 |
from the point of view of the rest of the network to be two devices, |
| 46 |
with different MAC addresses and IP address. |
| 47 |
|
| 48 |
> But I wondered.., since any traffic is really going thru that WinXP |
| 49 |
> hosts nic one way or another if it would be as safe as a truly |
| 50 |
> independant host with its own ethernet wire to the router. (which is |
| 51 |
> switched). |
| 52 |
|
| 53 |
I'm not a security expert, but my gut feeling here is that it *should* |
| 54 |
be fine. The windows host should never really "see" the traffic, beyond |
| 55 |
the driver level I suspect, as the driver will see the packet has a |
| 56 |
different MAC address on it, and pass it to vmware to deal with. Of |
| 57 |
course that's not to say some specially crafted packet couldn't exist to |
| 58 |
break this. Or that if they can exploit your vmware machine, they might |
| 59 |
some how from there exploit vmware itself and then execute code on the |
| 60 |
windows machine. Depends how paranoid you want to be... |
| 61 |
|
| 62 |
> Would I likely be opening my lan up for some christmas shopping by |
| 63 |
> having a gentoo guest on a WinXP host running as a DMZ machine? |
| 64 |
> It would be pretty barebones with a IPTABLE setup for logging and |
| 65 |
> tagging or whatever I get interested in doing with the traffic. |
| 66 |
> |
| 67 |
> No X server or other frills. |
| 68 |
|
| 69 |
Just to make sure here, the only traffic that is going to arrive at the |
| 70 |
DMZ host will be inbound packets that aren't routed to another host (due |
| 71 |
to port forwarding or PnP rules). Traffic between the other machines and |
| 72 |
the internet will NEVER be seen, since it will travel from that machine |
| 73 |
straight to the router, and return packets will go straight back to that |
| 74 |
machine, not the DMZ system. |
| 75 |
|
| 76 |
If all your wanting to do is see what people are doorknocking on your |
| 77 |
system (like the people that keep trying to guess passwords for my ssh |
| 78 |
server), then this should work. |
| 79 |
|
| 80 |
Shawn |
| 81 |
-- |
| 82 |
gentoo-user@g.o mailing list |
Archives