Tom I don''t think I''ve said this yet, but THANK YOU for the Shoreline Firewall. This is one of the finest and most important software packages I''ve ever used, and it always works. I''ll be making a donation in your name to the Alzheimer''s Association as soon as I make some money on eBay. (very soon) ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar
On 3/27/11 2:15 PM, CACook@quantum-sci.com wrote:> > Tom I don''t think I''ve said this yet, but THANK YOU for the Shoreline > Firewall. This is one of the finest and most important software > packages I''ve ever used, and it always works. > > I''ll be making a donation in your name to the Alzheimer''s Association > as soon as I make some money on eBay. (very soon)Thank you! -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar
On Friday 3 June, 2011 16:14:03 you wrote:> On 6/3/11 2:50 PM, CACook@quantum-sci.com wrote: > > > > Hello Tom, > > > > Can''t make masquerading work for some reason. > > > > I have a VirtualBox VM running Debian with network in Host-Only mode. I want to use this rather than Bridging to reduce the possibility of layer 2 attacks on my LAN in case Debian gets compromised. For this same reason I want to aim the dnat right at the router. > > > > So the VM interface on the host is vboxnet0 with IP 192.168.12.1. The hosts outward-looking interface is wlan0 with IP 192.168.11.1, and the router is 192.168.11.5. > > > > interfaces: > > net wlan0 detect blacklist,nosmurfs,tcpflags > > local vboxnet0 detect detectnets > > > > zones: > > fw firewall > > net ipv4 > > local ipv4 > > > > masq: > > wlan0:192.168.11.5 192.168.12.0/30 > > > > rules: > > DNAT local net:192.168.11.5 tcp ftp,http > > ACCEPT local net tcp ftp,http,https - > > ACCEPT local net udp domain - > > > > ... but it tain''t working. with dmesg I get lots of these: > > [178641.995837] martian source 192.168.11.5 from 192.168.12.1, on dev vboxnet0 > > [178641.995842] ll header: ff:ff:ff:ff:ff:ff:08:00:27:ca:f8:5c:08:06 > > [178644.651678] martian source 192.168.12.255 from 192.168.12.1, on dev vboxnet0 > > [178644.651688] ll header: ff:ff:ff:ff:ff:ff:08:00:27:ca:f8:5c:08:00 > > [178650.947681] martian source 192.168.11.5 from 192.168.12.1, on dev vboxnet0 > > [178650.947686] ll header: ff:ff:ff:ff:ff:ff:08:00:27:ca:f8:5c:08:06 > > > > Can''t figure out what''s wrong. > > > > I''m recommending that people run a Tor relay in a VirtualBox VM with Debian SELinux guest, with guest and host running Shorewall, masqueraded through the host and aimed straight at the router so no monitoring can take place if compromised. > > martians are a routing problem, not a Shorewall configuration problem. > The routing table doesn''t route 192.168.12.1 out of vboxnet0.Oh dear, in that case I have no idea what to do about it. ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation''s a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering''s about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
On 06/03/2011 09:01 PM, CACook@quantum-sci.com wrote:> On Friday 3 June, 2011 16:14:03 you wrote:>> martians are a routing problem, not a Shorewall configuration problem. >> The routing table doesn''t route 192.168.12.1 out of vboxnet0. > > Oh dear, in that case I have no idea what to do about it.I would start by fixing the IP configuration of vboxnet0. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation''s a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering''s about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
On Sunday 5 June, 2011 06:36:47 Tom Eastep wrote:> On 06/03/2011 09:01 PM, CACook@quantum-sci.com wrote: > > On Friday 3 June, 2011 16:14:03 you wrote: > > >> martians are a routing problem, not a Shorewall configuration problem. > >> The routing table doesn''t route 192.168.12.1 out of vboxnet0. > > > > Oh dear, in that case I have no idea what to do about it. > > I would start by fixing the IP configuration of vboxnet0.Understand, but no idea how to go about that. I am a long-time Debian user, and I have always edited /etc/network/interfaces and /etc/wpa_supplicant/wpa_supplicant.conf. vboxnet0 does not appear in these because it''s a virtual interface created by VirtualBox. VirtualBox has a graphical setup for host-only networking, but there is no provision for routing. (attached) I checked and do have forwarding turned on, although I''ve forgotten where to do that. The routing table looks like this: # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.240 U 0 0 0 wlan0 localnet * 255.255.255.0 U 0 0 0 wlan0 link-local * 255.255.0.0 U 1000 0 0 wlan0 default sirius.darkmatt 0.0.0.0 UG 0 0 0 wlan0 ... but I don''t know what''s missing nor where is the proper place to adjust it. vboxnet0 is a transient interface, so surely a permanent setting is not appropriate, wherever that would go. ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation''s a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering''s about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
On 06/05/2011 06:53 AM, CACook@quantum-sci.com wrote:> On Sunday 5 June, 2011 06:36:47 Tom Eastep wrote: >> On 06/03/2011 09:01 PM, CACook@quantum-sci.com wrote: >>> On Friday 3 June, 2011 16:14:03 you wrote: >> >>>> martians are a routing problem, not a Shorewall configuration problem. >>>> The routing table doesn''t route 192.168.12.1 out of vboxnet0. >>> >>> Oh dear, in that case I have no idea what to do about it. >> >> I would start by fixing the IP configuration of vboxnet0. > > Understand, but no idea how to go about that. > > I am a long-time Debian user, and I have always edited /etc/network/interfaces and /etc/wpa_supplicant/wpa_supplicant.conf. vboxnet0 does not appear in these because it''s a virtual interface created by VirtualBox. VirtualBox has a graphical setup for host-only networking, but there is no provision for routing. (attached) > > I checked and do have forwarding turned on, although I''ve forgotten where to do that. > > The routing table looks like this: > # route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > 192.168.1.0 * 255.255.255.240 U 0 0 0 wlan0 > localnet * 255.255.255.0 U 0 0 0 wlan0 > link-local * 255.255.0.0 U 1000 0 0 wlan0 > default sirius.darkmatt 0.0.0.0 UG 0 0 0 wlan0 > > ... but I don''t know what''s missing nor where is the proper place to adjust it. vboxnet0 is a transient interface, so surely a permanent setting is not appropriate, wherever that would go.On OS X, it''s in the global preferences under ''Network''. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation''s a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering''s about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
On Sunday 5 June, 2011 06:53:24 CACook@quantum-sci.com wrote:> On Sunday 5 June, 2011 06:36:47 Tom Eastep wrote: > > On 06/03/2011 09:01 PM, CACook@quantum-sci.com wrote: > > > On Friday 3 June, 2011 16:14:03 you wrote: > > > > >> martians are a routing problem, not a Shorewall configuration problem. > > >> The routing table doesn''t route 192.168.12.1 out of vboxnet0. > > > > > > Oh dear, in that case I have no idea what to do about it. > > > > I would start by fixing the IP configuration of vboxnet0. > > Understand, but no idea how to go about that. > > I am a long-time Debian user, and I have always edited /etc/network/interfaces and /etc/wpa_supplicant/wpa_supplicant.conf. vboxnet0 does not appear in these because it''s a virtual interface created by VirtualBox. VirtualBox has a graphical setup for host-only networking, but there is no provision for routing. (attached) > > I checked and do have forwarding turned on, although I''ve forgotten where to do that. > > The routing table looks like this: > # route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > 192.168.1.0 * 255.255.255.240 U 0 0 0 wlan0 > localnet * 255.255.255.0 U 0 0 0 wlan0 > link-local * 255.255.0.0 U 1000 0 0 wlan0 > default sirius.darkmatt 0.0.0.0 UG 0 0 0 wlan0 > > ... but I don''t know what''s missing nor where is the proper place to adjust it. vboxnet0 is a transient interface, so surely a permanent setting is not appropriate, wherever that would go.I''ve asked over in the VirtualBox forum, and no one has any idea. Looks like I''m stuck. ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation''s a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering''s about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
On Monday 6 June, 2011 06:44:39 CACook@quantum-sci.com wrote:> On Sunday 5 June, 2011 06:53:24 CACook@quantum-sci.com wrote: > > On Sunday 5 June, 2011 06:36:47 Tom Eastep wrote: > > > On 06/03/2011 09:01 PM, CACook@quantum-sci.com wrote: > > > > On Friday 3 June, 2011 16:14:03 you wrote: > > > > > > >> martians are a routing problem, not a Shorewall configuration problem. > > > >> The routing table doesn''t route 192.168.12.1 out of vboxnet0. > > > > > > > > Oh dear, in that case I have no idea what to do about it. > > > > > > I would start by fixing the IP configuration of vboxnet0. > > > > Understand, but no idea how to go about that. > > > > I am a long-time Debian user, and I have always edited /etc/network/interfaces and /etc/wpa_supplicant/wpa_supplicant.conf. vboxnet0 does not appear in these because it''s a virtual interface created by VirtualBox. VirtualBox has a graphical setup for host-only networking, but there is no provision for routing. (attached) > > > > I checked and do have forwarding turned on, although I''ve forgotten where to do that. > > > > The routing table looks like this: > > # route > > Kernel IP routing table > > Destination Gateway Genmask Flags Metric Ref Use Iface > > 192.168.1.0 * 255.255.255.240 U 0 0 0 wlan0 > > localnet * 255.255.255.0 U 0 0 0 wlan0 > > link-local * 255.255.0.0 U 1000 0 0 wlan0 > > default sirius.darkmatt 0.0.0.0 UG 0 0 0 wlan0 > > > > ... but I don''t know what''s missing nor where is the proper place to adjust it. vboxnet0 is a transient interface, so surely a permanent setting is not appropriate, wherever that would go. > > I''ve asked over in the VirtualBox forum, and no one has any idea. Looks like I''m stuck.So everyone is clear, it is not possible to set host-only networking and masquerade/NAT through the Linux host with VirtualBox, to avoid layer 2 attacks possible with bridging. The packets simply do not get transported through the host. ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On 06/08/2011 08:13 AM, CACook@quantum-sci.com wrote:> > So everyone is clear, it is not possible to set host-only networking > and masquerade/NAT through the Linux host with VirtualBox, to avoid > layer 2 attacks possible with bridging. The packets simply do not > get transported through the host. >I''m confused. I don''t see how Vbox can stop the packets. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On Wednesday 8 June, 2011 12:21:43 Tom Eastep wrote:> On 06/08/2011 08:13 AM, CACook@quantum-sci.com wrote: > > > > > So everyone is clear, it is not possible to set host-only networking > > and masquerade/NAT through the Linux host with VirtualBox, to avoid > > layer 2 attacks possible with bridging. The packets simply do not > > get transported through the host. > > > > I''m confused. I don''t see how Vbox can stop the packets.It isn''t. But something between the VM and the outside is. Mystery, what. ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On 6/8/11 12:33 PM, CACook@quantum-sci.com wrote:> On Wednesday 8 June, 2011 12:21:43 Tom Eastep wrote: >> On 06/08/2011 08:13 AM, CACook@quantum-sci.com wrote: >> >>> >>> So everyone is clear, it is not possible to set host-only networking >>> and masquerade/NAT through the Linux host with VirtualBox, to avoid >>> layer 2 attacks possible with bridging. The packets simply do not >>> get transported through the host. >>> >> >> I''m confused. I don''t see how Vbox can stop the packets. > > It isn''t. But something between the VM and the outside is. Mystery, what.Well, if you are still getting the martian messages, then it is you IP configuration. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On Wednesday 8 June, 2011 13:32:04 Tom Eastep wrote:> Well, if you are still getting the martian messages, then it is you IP > configuration.Yup, tons of martians. No idea why. I''m a real estate developer, not a coder. No answers in all my searches of The Internets. ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On 6/8/11 2:34 PM, CACook@quantum-sci.com wrote:> On Wednesday 8 June, 2011 13:32:04 Tom Eastep wrote: >> Well, if you are still getting the martian messages, then it is you >> IP configuration. > > Yup, tons of martians. No idea why. I''m a real estate developer, > not a coder. No answers in all my searches of The Internets.Possibly you should pay the kid next door a couple of bucks to help you out :-) 1) Open the preferences window on Virtual box and select network. 2) There you should see an entry for vboxnet0 or such such device. 3) Edit that entry. 4) There you will find the IP address and network for the host-only interface in the host. 5) I''m guessing that you configured the IP address and network on the guest in a network that is different from the one that is configured here in VirtualBox. 6) If so, reconfigure Virtual box to match what you expect; The IP address will be what you specify as the default gateway on the guest. The Netmask should be the same as on your guest. Start your guest and things should work much better. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On Wednesday 8 June, 2011 15:55:14 Tom Eastep wrote:> On 6/8/11 2:34 PM, CACook@quantum-sci.com wrote: > > On Wednesday 8 June, 2011 13:32:04 Tom Eastep wrote: > >> Well, if you are still getting the martian messages, then it is you > >> IP configuration. > > > > Yup, tons of martians. No idea why. I''m a real estate developer, > > not a coder. No answers in all my searches of The Internets. > > Possibly you should pay the kid next door a couple of bucks to help you > out :-) > > 1) Open the preferences window on Virtual box and select network. > 2) There you should see an entry for vboxnet0 or such such device. > 3) Edit that entry. > 4) There you will find the IP address and network for the host-only > interface in the host. > 5) I''m guessing that you configured the IP address and network on the > guest in a network that is different from the one that is configured > here in VirtualBox. > 6) If so, reconfigure Virtual box to match what you expect; > > The IP address will be what you specify as the default > gateway on the guest. > > The Netmask should be the same as on your guest. > > Start your guest and things should work much better.Ya no kids around here seem to be as smart as I am, these days. You''d think... No such luck on VB settings. I''ve attached another screenie so you can see what I''m looking at again. ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On Wednesday 8 June, 2011 16:08:12 CACook@quantum-sci.com wrote:> On Wednesday 8 June, 2011 15:55:14 Tom Eastep wrote: > > On 6/8/11 2:34 PM, CACook@quantum-sci.com wrote: > > > On Wednesday 8 June, 2011 13:32:04 Tom Eastep wrote: > > >> Well, if you are still getting the martian messages, then it is you > > >> IP configuration. > > > > > > Yup, tons of martians. No idea why. I''m a real estate developer, > > > not a coder. No answers in all my searches of The Internets. > > > > Possibly you should pay the kid next door a couple of bucks to help you > > out :-) > > > > 1) Open the preferences window on Virtual box and select network. > > 2) There you should see an entry for vboxnet0 or such such device. > > 3) Edit that entry. > > 4) There you will find the IP address and network for the host-only > > interface in the host. > > 5) I''m guessing that you configured the IP address and network on the > > guest in a network that is different from the one that is configured > > here in VirtualBox. > > 6) If so, reconfigure Virtual box to match what you expect; > > > > The IP address will be what you specify as the default > > gateway on the guest. > > > > The Netmask should be the same as on your guest. > > > > Start your guest and things should work much better. > > Ya no kids around here seem to be as smart as I am, these days. > You''d think... > > No such luck on VB settings. I''ve attached another screenie so you can see what I''m looking at again.Oh you meant PREFERENCES. Why didn''t you -say- so? <g> Yes there I have the IP set to 192.168.12.1. Don''t know whether that''s supposed to be the virtual interface or guest. I have the guest set to the same address, but it doesn''t work. So I set the guest to 192.168.12.2 and gateway to .1 and dns server to 192.168.11.5, and now when I ask for amd.com it pops up a window asking for my login to my router (which is 192.168.11.5). Don''t want to log in to my router... that''s the DNS server FCS. I want to go to AMD.com. ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On 6/8/11 4:18 PM, CACook@quantum-sci.com wrote:> > Oh you meant PREFERENCES. Why didn''t you -say- so? <g> > > Yes there I have the IP set to 192.168.12.1. Don''t know whether > that''s supposed to be the virtual interface or guest. I have the > guest set to the same address, but it doesn''t work. So I set the > guest to 192.168.12.2 and gateway to .1 and dns server to > 192.168.11.5, and now when I ask for amd.com it pops up a window > asking for my login to my router (which is 192.168.11.5). > > Don''t want to log in to my router... that''s the DNS server FCS. I > want to go to AMD.com.You really need to hire someone to sit beside you and guide you through this. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
On Wednesday 8 June, 2011 18:09:43 Tom Eastep wrote:> On 6/8/11 4:18 PM, CACook@quantum-sci.com wrote: > > > > > Oh you meant PREFERENCES. Why didn''t you -say- so? <g> > > > > Yes there I have the IP set to 192.168.12.1. Don''t know whether > > that''s supposed to be the virtual interface or guest. I have the > > guest set to the same address, but it doesn''t work. So I set the > > guest to 192.168.12.2 and gateway to .1 and dns server to > > 192.168.11.5, and now when I ask for amd.com it pops up a window > > asking for my login to my router (which is 192.168.11.5). > > > > Don''t want to log in to my router... that''s the DNS server FCS. I > > want to go to AMD.com. > > You really need to hire someone to sit beside you and guide you through > this.Condescension noted. Thanks for your help. ------------------------------------------------------------------------------ EditLive Enterprise is the world''s most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev