how-to block ads
|
genewitch
join:2007-09-12
Klamath Falls, OR
 ·Charter Pipeline
·Suddenlink
·Cebridge Connections
1 edit | reply to genewitch
Re: IPCop in VMWare: A How-to
ok since there seems to be some confusion, the process explained here in a really short fashion is this:
1) install VMWare (preferably player as well)
2) Install IPCop on VMWare. tell vmware to use 32-48mb of ram if you don't want to use PROXY, 64-96mb of ram if you DO. (adjust to size of your network, small use low numbers, large, use higher!)
3) on the host machine, disable all of one NIC adapter's protocol's except the VM networking one. (ETH1 in ipcop, second bridged network segment in vmware)
4) set the other NIC adapter to a private IP such as 192.168.2.10 - this should be the same subnet as your IPCop's IP address for ETH0 in ipcop, FIRST bridged network in vmware.
5) reboot your dsl modem/cable modem. reboot IPCop at the same time
6) after rebooting, release and renew all network machines. in a web browser, go to »https://192.168.2.1:445/ (or whatever IPCop's IP was set to in the second step
7) if you use PPPoE or whatever, set that up. this isn't meant as a tutorial for IPCop, so you can review the manuals for that.
8) if the "home/status" screen (top left menu, top item) shows you having a public IP address, then you're done.
To anyone who was asking "WHY WOULD YOU DO THIS": it's simple.
•IPCop is a stateful firewall, it's very fast, it's very small, and it probably uses less memory in VMWare player than any windows based firewall solution you can think of.
•it doesn't drain your CPU resources at all (1-2% unless it's doing log rollovers or caching a huge amount of stuff in squid).
•It has a transparent proxy(squid is default) included, that requires no client machine setup.
•Any web traffic is cached on the host machine in the vmware HD, if you so desire.
•IPCop supports intrusion detection, as well as hack detection. (snort, tripwire included by default)
•IPCop supports scanning for viruses on the fly INSIDE THE VM MACHINE, while data is being transferred. does your linksys/dlink router do that?(the answer is no).
•IPCop allows you to set host exclusion on an entire network segment, as opposed to having to edit hosts.lm on every client machine. (ad block, spam block, pornsite block, whatever you want).
•IPCop supports an awesome VPN scheme, allowing up to 4 or 5 networks to connect together as one big network with several subnets.
•IPCop has QOS - you can make web traffic take precedence over every other type of traffic. This means, for instance, if you run any sort of server on your network, that you can guarantee that that server is running on a low latency, high bandwidth connection regardless of how much other data is going through your connection. This is great for VOIP applications and on networks where you want to guarantee certain types of packets always get through.
•IPCop doesn't allow lazy port forwarding, DMZ, Large holes in the firewall. It's all pinhole, 1 port at a time. I haven't run into any applications that have a problem with this scheme, as IPCop is stateful, it can determine if traffic is supposed to go through to a client if the client started the handshake.
i am sure there are other firewall solutions similar to IPCop. I've just been using IPCop since it hit 1.x version, and i love it, and it always works for what i need it for.
To answer the other question, "what if i only have one network adapter" there's two answers. If you're looking at running a LAN, then you need a cable/dsl modem that supports USB. If that's the case, follow my guide to the letter, just substituting the USB NIC as the physical NIC ETH1 in ipcop, and second bridged network in VMWare. If your modem doesn't support usb, and you still want to run a LAN with ipcop, you're out of luck. NICs are cheap, go to salvation army/choc/whatever surplus store you have nearby and pick one up for less than $5. Online you can find them for about the same price for a 10bt NIC (which unless you have FIOS or T3 should suffice for internet traffic).
HOWEVER! if you have 1 computer, and one modem, and you want a complete firewall solution, then IPCop will still work! However since i have not done this i cannot provide you with a walk through. if there is a sincere interest about this particular subject, i will experiment with the software and see what i can come up with! LET ME KNOW!
Any other clarification needed, please ask! (please reply to THIS message instead of the OP, because i accidentally turned off notification for the OP :-( | |
Bubba17
Less is More
Premium
join:2006-09-21
| said by genewitch  :1) install VMWare (preferably player as well) Not to change the tenor of this thread over to VMWare, but a quick question about it, please.
At the VMWare site, there exist numerous product offerings. It's "VMWare Workstation" that is targeted for home/SOHO use? If so, it's priced at $189.00. The "VMWare player" is free?
Is there a free VMWare offering that I just overlooked? Or, is purchase required to use "VMWare"?
Are there huge differences between VMWare and the free MS Virtual Machine that make VMWare worth the purchase?
Thanks.
--
"Fast is fine, but accuracy is everything" --Wyatt Earp | |
GILXA1226
Premium,MVM
join:2000-12-29
London, OH
clubs:
| said by Bubba17 :said by genewitch :1) install VMWare (preferably player as well) Not to change the tenor of this thread over to VMWare, but a quick question about it, please. At the VMWare site, there exist numerous product offerings. It's "VMWare Workstation" that is targeted for home/SOHO use? If so, it's priced at $189.00. The "VMWare player" is free? Is there a free VMWare offering that I just overlooked? Or, is purchase required to use "VMWare"? Are there huge differences between VMWare and the free MS Virtual Machine that make VMWare worth the purchase? Thanks. Look for VMWare Server, it's their completely free offering. I find it is far superior to MS Virtual Machine. | |
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Bubba17
said by Bubba17 :said by genewitch :1) install VMWare (preferably player as well) Not to change the tenor of this thread over to VMWare, but a quick question about it, please. At the VMWare site, there exist numerous product offerings. It's "VMWare Workstation" that is targeted for home/SOHO use? If so, it's priced at $189.00. The "VMWare player" is free? Is there a free VMWare offering that I just overlooked? Or, is purchase required to use "VMWare"? Are there huge differences between VMWare and the free MS Virtual Machine that make VMWare worth the purchase? Thanks. The 2 major differences are so major for anyone using VMWare to test software and/or so that they don't need to worry about getting a virus because they wanted to walk on the "wild side" for a bit, etc. that I would never consider using the Server.
The Server runs all the time as a Service which makes it potentially open to security issues that Workstation running in User mode doesn't have. Plus, the Server cannot do MULTIPLE snapshots which are ESSENTIAL for those of us who use VMwareWorkstation for beta testing and so that we don't have to worry about getting malware if we are a bit adventuresome in our web surfing. Plus, with Workstation there are not the Security problems that exist with Server running all the time as a service. A VMwareWorkstation computer runs when you boot it up and you shut it down when you are through and that is it. It runs when you want to use it and runs independently of the Host which is not the case with the Server.
You also cannot clone Server machines (unless you pay VMWare for extra software to do that). Cloning is easy and simple in WorkStation. So, with no cloning, no multiple snapshots...for my purposes Server is worthless. You also cannot do shared folder between Host and a virtual machine when using Server like you can with Workstation. You cannot do drag and drop between host and virtual machine with Server either. Nor would you be able to copy/paste a URL, etc. from host to virtual or vice-versa.
I would use Microsoft's program over the Server from VMWare. They made free something that many of wouldn't want. I don't think Server competes at all with Microsoft's free virtual machine. But the problem with Microsoft's offering is that it isn't very good compared to VMWareWorkstation. But it is free and that makes it the first virtualization program to try IMO. In Workstation 6 which I don't have you can take your virtual machines with you on a memory stick ...that would be nice. Can't do that with Server machines.
VMWare Player is free because it is preconfigured and you can get various configured OSes that have been made available that run in Player but you can't change them. You can run Player also within VMWareWorkstation so if you don't know how to install some Linux distro to a new virtual computer you have made, you can use Player within Workstation and run a premade virtual computer that already has some flavor of Linux all set up, configured and ready to go...but you can't change anything.
So, Server vs Workstation depends really on what you want the virtual machine for and on security issues. Server listens on ports that can be hacked but IPcop would fix that if you run it, but if not there is a vulnerability that workstation doesn't have. I want Workstation because it runs in User mode and I very much want to be able to shut down my virtual machines whenever I want and use them only when I want to use them and be able to with one simple click go to a different snapshot. Moving to another snapshot is done in the background and is very fast. I have 29 snapshots for one machine and the ease of making a snapshot before installing beta software, or any new software, and then reverting to that snapshot if the new software borks the computer is priceless and much faster and easier than relying on something like Acronis TI to go back to an earlier image.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason | |
Grail Knight
Who Dares Wins
Premium
join:2003-05-31 | How much did you pay for VM Workstation Marilyn? | |
sagager
@comcast.net |  reply to genewitch
Re: IPCop in VMWare: A How-to setup with just one NIC
Is it possible to do the configuration above on a Windows 2K3 Server with just ONE NIC and offer protection for a network with 5 PCs?
How would I configure the IPs for that single NIC and where do I point my clients IP to? | |
genewitch
join:2007-09-12
Klamath Falls, OR
·Charter Pipeline
·Suddenlink
·Cebridge Connections
| said by sagager :
Is it possible to do the configuration above on a Windows 2K3 Server with just ONE NIC and offer protection for a network with 5 PCs?
How would I configure the IPs for that single NIC and where do I point my clients IP to?
depends on what your internet is coming through. If you can do USB connection, then yes. if it requires ethernet, it might be possible, but i wouldn't hold my breathe over it. You'd really have to kludge stuff that couldn't be scripted, like unplugging computers from a switch that had the ethernet WAN on it or something. Basically, if you can free a NIC and still have internet access on your PC, my guide will work. | |
sagager
@comcast.net
| This is my current configuration: Comcast Modem (Internet) connected via Ethernet cable to Linksys WRT54G WAN Port Router. LAN Port on Linksys Router Connected to Netgear 1Gbps 8 port switch. Win2K3 Server also connected to 2nd port on Netgear Switch.
5 Workstations connected to the remainder ports on Netgear Switch.
To use VMWARE with IPCOP in the win2k3 server will require a second NIC in this case or I can get away with one NIC?
This is what I am getting confused. I know that for routing it is usually required 2 NICs, but since VMware can create virtual NICs, I thought that with just one NIC it would do the trick. By my brain is not helping visualize that. Any light?
TIA | |
genewitch
join:2007-09-12
Klamath Falls, OR
·Charter Pipeline
·Suddenlink
·Cebridge Connections
| yeah i'm trying to figure out how it would work. because you'd basically have to run your computer to the switch, and the cable modem to the switch. IT MIGHT WORK if you have pppoe, but if your modem just gives out an IP(like mine does, suddenlink's network does that) then it'll be a pain. Does your modem have a USB port? If so, you're set. If you complain a tiny bit more i might be persuaded to ship you a NIC for free just so you can rave about how awesome my guide is  | |
mikenolan7
Premium
join:2005-06-07
Torrance, CA | reply to sagager
You can get an AirLink 101 10/100 mps NIC for $5 at Fry's. They use the same Realtek 8139 chip as a lot of $20-25 NIC's. Save yourself a lot of headaches, and be more secure, unless you're just doing it to see if you could do it. | |
genewitch
join:2007-09-12
Klamath Falls, OR
·Charter Pipeline
·Suddenlink
·Cebridge Connections
| said by mikenolan7 :You can get an AirLink 101 10/100 mps NIC for $5 at Fry's. They use the same Realtek 8139 chip as a lot of $20-25 NIC's. Save yourself a lot of headaches, and be more secure, unless you're just doing it to see if you could do it. a good point. I have a ton of realtek 10bt cards laying around, that's what i was gunna send him, cause they're guaranteed to work with ipcop either standalone or in vmware (and no drivers needed for win2k3, either!)
you can probably get nics on ebay for 50 cents, too :-D | |
sagager
@comcast.net | Thank you Guys for all the help. I will get the second NIC.
This will be less work. And No, the modem does not have a USB port. | |
|
