ntblade
join:2008-04-17
| reply to Bubba17
Re: IPCop in VMWare: A How-to
Hi all. First post here 
Great info and how-to. I'm having a wee bit trouble getting my head round the virtual nets etc. in VMWare. My questions are:
1. If I setup a barebones server running say ubuntu server then install vmware server and then IPCop, can IPCop then protect the host machine?
2. I want to use a single box to setup IPCop with 3 physical and one virtual NICs - Red, Green, Blue are physical with Orange being virtual. Can this be done?
Many thanks for reading.
NTB |
|
Bubba17
Less is More
Premium
join:2006-09-21 | reply to genewitch
Appreciate the info, from all, regarding VMWare. Thanks.
--
"Fast is fine, but accuracy is everything" --Wyatt Earp |
|
sagager
@comcast.net |  reply to genewitch
Re: IPCop in VMWare: A How-to setup with just one NIC
Thank you Guys for all the help. I will get the second NIC.
This will be less work. And No, the modem does not have a USB port. |
|
genewitch
join:2007-09-12
Klamath Falls, OR
 ·Charter Pipeline
·Suddenlink
·Cebridge Connections
| reply to mikenolan7
said by mikenolan7  :You can get an AirLink 101 10/100 mps NIC for $5 at Fry's. They use the same Realtek 8139 chip as a lot of $20-25 NIC's. Save yourself a lot of headaches, and be more secure, unless you're just doing it to see if you could do it. a good point. I have a ton of realtek 10bt cards laying around, that's what i was gunna send him, cause they're guaranteed to work with ipcop either standalone or in vmware (and no drivers needed for win2k3, either!)
you can probably get nics on ebay for 50 cents, too :-D |
|
mikenolan7
Premium
join:2005-06-07
Torrance, CA | reply to sagager
You can get an AirLink 101 10/100 mps NIC for $5 at Fry's. They use the same Realtek 8139 chip as a lot of $20-25 NIC's. Save yourself a lot of headaches, and be more secure, unless you're just doing it to see if you could do it. |
|
genewitch
join:2007-09-12
Klamath Falls, OR
·Charter Pipeline
·Suddenlink
·Cebridge Connections
| reply to sagager
yeah i'm trying to figure out how it would work. because you'd basically have to run your computer to the switch, and the cable modem to the switch. IT MIGHT WORK if you have pppoe, but if your modem just gives out an IP(like mine does, suddenlink's network does that) then it'll be a pain. Does your modem have a USB port? If so, you're set. If you complain a tiny bit more i might be persuaded to ship you a NIC for free just so you can rave about how awesome my guide is |
|
sagager
@comcast.net
| reply to genewitch
This is my current configuration: Comcast Modem (Internet) connected via Ethernet cable to Linksys WRT54G WAN Port Router. LAN Port on Linksys Router Connected to Netgear 1Gbps 8 port switch. Win2K3 Server also connected to 2nd port on Netgear Switch.
5 Workstations connected to the remainder ports on Netgear Switch.
To use VMWARE with IPCOP in the win2k3 server will require a second NIC in this case or I can get away with one NIC?
This is what I am getting confused. I know that for routing it is usually required 2 NICs, but since VMware can create virtual NICs, I thought that with just one NIC it would do the trick. By my brain is not helping visualize that. Any light?
TIA |
|
genewitch
join:2007-09-12
Klamath Falls, OR
·Charter Pipeline
·Suddenlink
·Cebridge Connections
| reply to sagager
said by sagager :
Is it possible to do the configuration above on a Windows 2K3 Server with just ONE NIC and offer protection for a network with 5 PCs?
How would I configure the IPs for that single NIC and where do I point my clients IP to?
depends on what your internet is coming through. If you can do USB connection, then yes. if it requires ethernet, it might be possible, but i wouldn't hold my breathe over it. You'd really have to kludge stuff that couldn't be scripted, like unplugging computers from a switch that had the ethernet WAN on it or something. Basically, if you can free a NIC and still have internet access on your PC, my guide will work. |
|
sagager
@comcast.net | reply to genewitch
Is it possible to do the configuration above on a Windows 2K3 Server with just ONE NIC and offer protection for a network with 5 PCs?
How would I configure the IPs for that single NIC and where do I point my clients IP to? |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31 | reply to Mele20
Re: IPCop in VMWare: A How-to
How much did you pay for VM Workstation Marilyn? |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Bubba17
said by Bubba17 :said by genewitch :1) install VMWare (preferably player as well) Not to change the tenor of this thread over to VMWare, but a quick question about it, please. At the VMWare site, there exist numerous product offerings. It's "VMWare Workstation" that is targeted for home/SOHO use? If so, it's priced at $189.00. The "VMWare player" is free? Is there a free VMWare offering that I just overlooked? Or, is purchase required to use "VMWare"? Are there huge differences between VMWare and the free MS Virtual Machine that make VMWare worth the purchase? Thanks. The 2 major differences are so major for anyone using VMWare to test software and/or so that they don't need to worry about getting a virus because they wanted to walk on the "wild side" for a bit, etc. that I would never consider using the Server.
The Server runs all the time as a Service which makes it potentially open to security issues that Workstation running in User mode doesn't have. Plus, the Server cannot do MULTIPLE snapshots which are ESSENTIAL for those of us who use VMwareWorkstation for beta testing and so that we don't have to worry about getting malware if we are a bit adventuresome in our web surfing. Plus, with Workstation there are not the Security problems that exist with Server running all the time as a service. A VMwareWorkstation computer runs when you boot it up and you shut it down when you are through and that is it. It runs when you want to use it and runs independently of the Host which is not the case with the Server.
You also cannot clone Server machines (unless you pay VMWare for extra software to do that). Cloning is easy and simple in WorkStation. So, with no cloning, no multiple snapshots...for my purposes Server is worthless. You also cannot do shared folder between Host and a virtual machine when using Server like you can with Workstation. You cannot do drag and drop between host and virtual machine with Server either. Nor would you be able to copy/paste a URL, etc. from host to virtual or vice-versa.
I would use Microsoft's program over the Server from VMWare. They made free something that many of wouldn't want. I don't think Server competes at all with Microsoft's free virtual machine. But the problem with Microsoft's offering is that it isn't very good compared to VMWareWorkstation. But it is free and that makes it the first virtualization program to try IMO. In Workstation 6 which I don't have you can take your virtual machines with you on a memory stick ...that would be nice. Can't do that with Server machines.
VMWare Player is free because it is preconfigured and you can get various configured OSes that have been made available that run in Player but you can't change them. You can run Player also within VMWareWorkstation so if you don't know how to install some Linux distro to a new virtual computer you have made, you can use Player within Workstation and run a premade virtual computer that already has some flavor of Linux all set up, configured and ready to go...but you can't change anything.
So, Server vs Workstation depends really on what you want the virtual machine for and on security issues. Server listens on ports that can be hacked but IPcop would fix that if you run it, but if not there is a vulnerability that workstation doesn't have. I want Workstation because it runs in User mode and I very much want to be able to shut down my virtual machines whenever I want and use them only when I want to use them and be able to with one simple click go to a different snapshot. Moving to another snapshot is done in the background and is very fast. I have 29 snapshots for one machine and the ease of making a snapshot before installing beta software, or any new software, and then reverting to that snapshot if the new software borks the computer is priceless and much faster and easier than relying on something like Acronis TI to go back to an earlier image.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
mikenolan7
Premium
join:2005-06-07
Torrance, CA
 ·Sprint Mobile Broa..
| reply to genewitch
I was using a roll-your-own linux firewall on one vserver "guest", and trying to set up a linux desktop on a second guest, on the same machine. I couldn't get the X11 working on the desktop. Didn't need or want it on the firewall. Vservers are not as flexible as VMware, you only run a single kernel, so you can only run linux. The single kernel is why it is so efficient with resources. It's meant more for servers (surprise), so it's not very friendly to X11. I found some links to get X11 working in a vserver guest, but I couldn't reproduce the results.
The primary security feature in vservers is keeping individual vserver guests in userland. To enable X11 you had to add capabilities to the guest that would make it possible for an attacker to escape the guest and attack the kernel. Kind of defeated the purpose, and I couldn't make it work anyway. I have no problems with X11 in many linux distros, freeBSD, and openBSD, but the vserver eluded me. User error. |
|
genewitch
join:2007-09-12
Klamath Falls, OR | reply to mikenolan7
ipcop doesn't require X11 though... or you meant you couldn't get X11 to work on your linux distro? |
|
mikenolan7
Premium
join:2005-06-07
Torrance, CA
·Sprint Mobile Broa..
| reply to genewitch
Have you tried the Linux Vserver? It is much more hardware efficient than VMware (I haven't tried the MS virtual machine). It's great for servers - run a DNS, DHCP server, etc. on different vservers. I tried to create something similar to what you have done on vmware with vservers, but I could not get X11 to work on the virtual desktop. Thanks for sharing your work. |
|
genewitch
join:2007-09-12
Klamath Falls, OR
·Charter Pipeline
·Suddenlink
·Cebridge Connections
| reply to mikenolan7
yeah i noted that in another forum, there is an ipcop virtual appliance, but it's hard to customize (hd size for instance). Also these instructions work for the MS VPC as well, so that's one reason.
I mentioned in the post above yours that i run it on my machine because i don't want to dedicate a machine to it. Also, this is the easiest way to firewall/route a network that uses a USB WLAN (cellular, for instance). there's several advantages, including not needing to remote to the ipcop machine, memory usage is negligible, and it's a lot more powerful than a cheap hardware solution (QOS for instance).
mine is a hardware router replacement, so it's working well for me. |
|
mikenolan7
Premium
join:2005-06-07
Torrance, CA
·Sprint Mobile Broa..
| reply to genewitch
I appreciate the work you have put in to document this. I am also genuinely curious about the advantage you see in creating the IPCop virtual machine over a standalone installation. Is your end goal to add a desktop image, and have it be protected by IPCop, all on one machine, or are there more advantages? I assume you are aware of the many virtual appliances available here:
»www.vmware.com/appliances/
But, of course, since they are binary images they are not as secure as following your instructions. |
|
genewitch
join:2007-09-12
Klamath Falls, OR
·Charter Pipeline
·Suddenlink
·Cebridge Connections
| reply to ironwalker
because i don't want to use/have another machine just as a router
And VMWare server is free i guess, the microsoft virtual machine is fine for this application though. I don't know how much the vmware player costs, it came as part of the package i have. |
|
GILXA1226
Premium,MVM
join:2000-12-29
London, OH
clubs:
| reply to Bubba17
said by Bubba17 :said by genewitch :1) install VMWare (preferably player as well) Not to change the tenor of this thread over to VMWare, but a quick question about it, please. At the VMWare site, there exist numerous product offerings. It's "VMWare Workstation" that is targeted for home/SOHO use? If so, it's priced at $189.00. The "VMWare player" is free? Is there a free VMWare offering that I just overlooked? Or, is purchase required to use "VMWare"? Are there huge differences between VMWare and the free MS Virtual Machine that make VMWare worth the purchase? Thanks. Look for VMWare Server, it's their completely free offering. I find it is far superior to MS Virtual Machine. |
|
ironwalker
World Renowned
Premium,MVM
join:2001-08-31
Keansburg, NJ
clubs:
·Optimum Online
| reply to genewitch
I too have been useing IpCop since version 1.
I always had a dedicated box for it....recently upgrading to a 500mhz pc with 1gig ram on a 35g scsi 15000rpm hdd.
Love the plugin options and lots of tweak advice, but, why would one need to run it on vmware? |
|
Bubba17
Less is More
Premium
join:2006-09-21
| reply to genewitch
said by genewitch :1) install VMWare (preferably player as well) Not to change the tenor of this thread over to VMWare, but a quick question about it, please.
At the VMWare site, there exist numerous product offerings. It's "VMWare Workstation" that is targeted for home/SOHO use? If so, it's priced at $189.00. The "VMWare player" is free?
Is there a free VMWare offering that I just overlooked? Or, is purchase required to use "VMWare"?
Are there huge differences between VMWare and the free MS Virtual Machine that make VMWare worth the purchase?
Thanks.
--
"Fast is fine, but accuracy is everything" --Wyatt Earp |
|
