1 |
reader@×××××××.com wrote: |
2 |
> Setup: |
3 |
> Home Lan with principle desktop machine running Gentoo. |
4 |
> Three other machines running WinXP that are a trio of video and sound |
5 |
> editing machines. And finally my wifes WinXP machine in antoher room. |
6 |
> All connected by Gigabit lan thru a netgear FVP318 router/firewall. |
7 |
> |
8 |
> I want to begin scanning thru the traffic that bounces off my |
9 |
> router/firewall. |
10 |
> |
11 |
> The router logs themselves are in a bad cumbersom format. And if I |
12 |
> use an available option to output them to a lan System logger the |
13 |
> information is greatly truncated and nearly useless. |
14 |
> |
15 |
> Router logs can be emailed but again they are cumbersom and clunky. |
16 |
> That how I currently look through them. |
17 |
> |
18 |
> So cutting to the chase, I don't want to even mess around with those |
19 |
> methods. Been there done that... didn't like it. |
20 |
> |
21 |
> The router has an option to route traffic to a DMZ machine. In the |
22 |
> past when I got this same urge 2 or so years ago I setup an Openbsd |
23 |
> OS on an older PC. Buttoned it down what little I knew to do and had |
24 |
> lots of fun with incoming traffic.... I mean just studying and being |
25 |
> amazed etc. |
26 |
> |
27 |
> I want to do that again but don't have that old machine anymore and |
28 |
> don't want the unfamiliar hassle of relearning whatever I knew about |
29 |
> OpenBSD. |
30 |
> |
31 |
> I don't want the hassle of hardening my main desktop... preferring to |
32 |
> keep it pretty loose behind the firewall. Running a lan webserver and |
33 |
> the like. |
34 |
> |
35 |
> I wondered if any of the security buffs here could tell me if a vmware |
36 |
> gentoo guest running on one of the winXP boxes could be setup to have |
37 |
> an independant tap on the Firewall as DMZ and not be offering every |
38 |
> hack whiz out there a shot at my home lan. |
39 |
> |
40 |
> As I remember you can setup vmware with its own network address, not |
41 |
> sharing its hosts address to some degree. |
42 |
|
43 |
Yes, vmware allows you to run it in bridged mode for networking. This |
44 |
means that while you just have the one physical network card, it appears |
45 |
from the point of view of the rest of the network to be two devices, |
46 |
with different MAC addresses and IP address. |
47 |
|
48 |
> But I wondered.., since any traffic is really going thru that WinXP |
49 |
> hosts nic one way or another if it would be as safe as a truly |
50 |
> independant host with its own ethernet wire to the router. (which is |
51 |
> switched). |
52 |
|
53 |
I'm not a security expert, but my gut feeling here is that it *should* |
54 |
be fine. The windows host should never really "see" the traffic, beyond |
55 |
the driver level I suspect, as the driver will see the packet has a |
56 |
different MAC address on it, and pass it to vmware to deal with. Of |
57 |
course that's not to say some specially crafted packet couldn't exist to |
58 |
break this. Or that if they can exploit your vmware machine, they might |
59 |
some how from there exploit vmware itself and then execute code on the |
60 |
windows machine. Depends how paranoid you want to be... |
61 |
|
62 |
> Would I likely be opening my lan up for some christmas shopping by |
63 |
> having a gentoo guest on a WinXP host running as a DMZ machine? |
64 |
> It would be pretty barebones with a IPTABLE setup for logging and |
65 |
> tagging or whatever I get interested in doing with the traffic. |
66 |
> |
67 |
> No X server or other frills. |
68 |
|
69 |
Just to make sure here, the only traffic that is going to arrive at the |
70 |
DMZ host will be inbound packets that aren't routed to another host (due |
71 |
to port forwarding or PnP rules). Traffic between the other machines and |
72 |
the internet will NEVER be seen, since it will travel from that machine |
73 |
straight to the router, and return packets will go straight back to that |
74 |
machine, not the DMZ system. |
75 |
|
76 |
If all your wanting to do is see what people are doorknocking on your |
77 |
system (like the people that keep trying to guess passwords for my ssh |
78 |
server), then this should work. |
79 |
|
80 |
Shawn |
81 |
-- |
82 |
gentoo-user@g.o mailing list |