Author Topic: Virtualization. Block guest from accessing locahost  (Read 2860 times)

0 Members and 1 Guest are viewing this topic.

Offline c64Topic starter

  • Frequent Contributor
  • **
  • Posts: 311
  • Country: au
Virtualization. Block guest from accessing locahost
« on: December 26, 2023, 12:28:09 am »
I always use VM (Virtual Box) if I need to run dodgy/unknown software. Some of it may need access to the internet, so I give network access to guest VM. However, it also gives it access to the "localhost" on the host computer with the ability to attack it.

Is it possible to give guest accessing to the network only but not the locahost?
 

Offline c64Topic starter

  • Frequent Contributor
  • **
  • Posts: 311
  • Country: au
Re: Virtualization. Block guest from accessing locahost
« Reply #1 on: December 26, 2023, 12:30:20 am »
Host is Windows 7
 

Offline 50ShadesOfDirt

  • Regular Contributor
  • *
  • Posts: 111
  • Country: us
Re: Virtualization. Block guest from accessing locahost
« Reply #2 on: December 26, 2023, 08:53:56 pm »
Perhaps these two nifty forum articles, over at virtualbox.org, cover what you need:

forums.virtualbox.org/viewtopic.php?t=107179
forums.virtualbox.org/viewtopic.php?f=35&t=96608#p468780

Hope this helps ...
 
The following users thanked this post: c64

Offline Shonky

  • Frequent Contributor
  • **
  • Posts: 298
  • Country: au
Re: Virtualization. Block guest from accessing locahost
« Reply #3 on: December 27, 2023, 01:31:05 am »
Set VM network device as bridged so it appears as its own network device and then VLAN to your router. It can live in its own subnet completely then.
« Last Edit: December 27, 2023, 01:33:08 am by Shonky »
 
The following users thanked this post: c64

Offline garrettm

  • Frequent Contributor
  • **
  • Posts: 343
  • Country: us
Re: Virtualization. Block guest from accessing locahost
« Reply #4 on: January 07, 2024, 08:16:28 pm »
If you have a USB NIC (wired or wireless), you could pass that over to the guest OS to bypass the host OS's NIC entirely. If you were on Linux and you have IOMMU capability with two onboard NICs, you can use KVM/QEMU to enable PCI pass-through of the second NIC. This is what I do for one of my Windows VMs under Linux. Generally, I disable networking for my Windows guest OS and instead use VirtioFS to pass files downloaded from the internet / my storage drive to the guest. If it isn't connected to the internet, you really don't need to update the OS, use Defender or the built-in firewall--which removes some of the fat-suit that MS requires to make their OS remotely safe to use. PCI pass-through can be used to move over an extra PCIe GPU, NVME drive or even whole USB or SATA controller for near native performance if you need Windows to play certain games or productivity software like CAD and the like.

« Last Edit: January 07, 2024, 08:19:49 pm by garrettm »
 
The following users thanked this post: c64

Offline dobsonr741

  • Frequent Contributor
  • **
  • Posts: 707
  • Country: us
Re: Virtualization. Block guest from accessing locahost
« Reply #5 on: January 07, 2024, 09:01:07 pm »
Given that you mentioned “dodgy” downloads and your host is Windows 7, I would get an isolated sublet/DMZ off the router. Setting it up depends on your router and skills.

And a windows update.

Windows 7 is not getting security patches for 3 years now, so that presents a clear and present danger. More than 2000 vulnerabilities, if you patched up to the latest:  https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-17153/Microsoft-Windows-7.html
 

Offline c64Topic starter

  • Frequent Contributor
  • **
  • Posts: 311
  • Country: au
Re: Virtualization. Block guest from accessing locahost
« Reply #6 on: January 11, 2024, 10:43:32 pm »
I can not set up my cheap router to have a separate subnet. However, I managed to set up the host to be on a separate subnet (invalid one) using static IP and guest to use bridge network. Appears to be working fine. Host has no internet access which is fine. I have separate VM for web browsing and downloading stuff from the internet. Host is used for development and I prefer it to be offline

router subnet 192.168.0.x
host IP: 192.168.99.99, no gateway, no DNS
guest: 192.168.0.100 (via DHCP)

Thanks for hints regarding subnet
 

Offline c64Topic starter

  • Frequent Contributor
  • **
  • Posts: 311
  • Country: au
Re: Virtualization. Block guest from accessing locahost
« Reply #7 on: January 11, 2024, 10:45:28 pm »
If you have a USB NIC (wired or wireless), you could pass that over to the guest OS to bypass the host OS's NIC entirely.
Good option as well
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 8329
  • Country: de
  • A qualified hobbyist ;)
Re: Virtualization. Block guest from accessing locahost
« Reply #8 on: January 12, 2024, 11:38:49 am »
I can not set up my cheap router to have a separate subnet.

Is your router supported by OpenWRT?

router subnet 192.168.0.x
host IP: 192.168.99.99, no gateway, no DNS
guest: 192.168.0.100 (via DHCP)

With that setup make sure that IPv6 is disabled (SLAAC would make your host system reachable).
 

Offline c64Topic starter

  • Frequent Contributor
  • **
  • Posts: 311
  • Country: au
Re: Virtualization. Block guest from accessing locahost
« Reply #9 on: January 18, 2024, 02:55:14 am »
No, it's not supported by OpenWRT. IP6 is disabled everywhere
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf