If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
XP Mode - Disable Internet but not LAN Access
I'm running Win 7 Pro with an Ethernet connection to a
router. I use XP Mode to support my elderly but still functional printer and scanner. Windows Virtual Machine is configured to use the host's NIC and thus my XP virtual machine appears as a terminal node on my LAN, which facilitates printer and file sharing. For security reasons I'd like to disable internet access on the XP virtual machine before XP support ends in April, but retain LAN access. The obvious place to do that would be at the router but Google suggests that my particular model doesn't allow access control of an Ethernet connected device and I haven't discovered any other straightforward method of achieving the same objective. Sorry if this is a bit OT but I'm hoping for indulgence and that suggestions on how I might proceed will be forthcoming. -- Dick K |
Ads |
#2
|
|||
|
|||
XP Mode - Disable Internet but not LAN Access
Il Sun, 12 Jan 2014 19:06:22 +0000, Dick K ha scritto:
I'd like to disable internet access on the XP virtual machine before XP support ends in April force a proper IP address/subnetmask and leave blank the gateway/ dnsservers -- /-\ /\/\ /\/\ /-\ /\/\ /\/\ /-\ T /-\ |
#3
|
|||
|
|||
XP Mode - Disable Internet but not LAN Access
On 12/01/2014 19:06, Dick K wrote:
I'm running Win 7 Pro with an Ethernet connection to a router. I use XP Mode to support my elderly but still functional printer and scanner. Windows Virtual Machine is configured to use the host's NIC and thus my XP virtual machine appears as a terminal node on my LAN, which facilitates printer and file sharing. For security reasons I'd like to disable internet access on the XP virtual machine before XP support ends in April, but retain LAN access. The obvious place to do that would be at the router but Google suggests that my particular model doesn't allow access control of an Ethernet connected device and I haven't discovered any other straightforward method of achieving the same objective. Sorry if this is a bit OT but I'm hoping for indulgence and that suggestions on how I might proceed will be forthcoming. I may need to do something similar for my wife's machine if I upgrade it to W7 because she's got a lot of stuff which will run under XP but probably not under W7. One possibility is to go to network settings, and specify a fixed IP address in the same subnet as the rest of your LAN (but outside the range allocated by the router's DHCP server) and then specify an invalid Gateway Address. It will then hopefully still be able to talk to other devices on your network - including its host machine - but it won't be able to access the outside world. -- Cheers, Roger ____________ Please reply to Newsgroup. Whilst email address is valid, it is seldom checked. |
#4
|
|||
|
|||
XP Mode - Disable Internet but not LAN Access
On 12/01/2014 19:06, Dick K wrote:
For security reasons I'd like to disable internet access on the XP virtual machine before XP support ends in April, but retain LAN access. Thank you Ammammata and Roger. Your procedure worked flawlessly. -- Dick K |
#5
|
|||
|
|||
XP Mode - Disable Internet but not LAN Access
On Sun, 12 Jan 2014 20:29:53 +0000, Roger Mills
wrote: I may need to do something similar for my wife's machine if I upgrade it to W7 because she's got a lot of stuff which will run under XP but probably not under W7. There are some programs that run under XP but not 7. But not very many. In most cases, if it runs under XP it will run under 7. |
#6
|
|||
|
|||
XP Mode - Disable Internet but not LAN Access
On 1/13/2014 12:35 PM, Ken Blake wrote:
There are some programs that run under XP but not 7. But not very many. In most cases, if it runs under XP it will run under 7. While generally true, there are tons of things that get in the way with newer Windows versions. Like the OS itself eats up a lot of processor power that it ruins everything. While a single core processor under XP generally has no problems playing videos. Not so with Vista, 7, and 8. Heck even with multiple core processors recording from a TV tuner and converting it at the same time is a tough task with Vista or higher. But with XP this is a piece of cake. -- Bill Motion Computing LE1700 Tablet ('09 era) - Thunderbird v12 Centrino Core2 Duo L7400 1.5GHz - 2GB RAM - Windows 8 Professional |
#7
|
|||
|
|||
XP Mode - Disable Internet but not LAN Access
On 1/13/2014 6:29 AM, Dick K wrote:
On 12/01/2014 19:06, Dick K wrote: For security reasons I'd like to disable internet access on the XP virtual machine before XP support ends in April, but retain LAN access. Thank you Ammammata and Roger. Your procedure worked flawlessly. Try the following test case. Go to the XP virtual machine, use a browser and try... http://156.151.59.35 That should take you to the Sun/Oracle web site. If you see the Oracle web page render, that's to tell you how "blocked" the connection is. Blocking DNS is not blocking (entirely) network access. Just so you're aware of the hole. What it does take away, is easy access for any tool that uses symbolic IP addresses. A tool using a numeric IP address (requiring no DNS lookup), can still get through. And that's what my test case would be demonstrating. If you do this, it won't work. http://www.sun.com You could add blocking rules to the Windows Firewall (like block port 80 outgoing, as a starting point). But that's not really foolproof either. You have to know the port numbers for http, https and the alternate port numbers like 8080 sometimes used. For example: http:/111.222.33.45:8080 would attempt an outgoing connection on port 8080. The various networking modes in Windows Virtual PC are described here. I was thinking that maybe MAC filtering would work, but MAC filtering doesn't appear to work the way I think it does. Maybe a "managed" router box would actually filter on MAC addresses - at work, we couldn't move a machine from one part of the building to another, since the routers knew which MAC addresses belonged there. It's possible a more fully-featured router could stop a particular MAC address from getting out to the Internet side. http://blogs.technet.com/b/windows_v...irtual-pc.aspx I haven't heard of any nice neat "one tick box" solutions for this. That doesn't mean they don't exist though, in the form of third party software. While Windows has Parental Blocking, that's not really complete enough for a job like this. Paul |
#8
|
|||
|
|||
XP Mode - Disable Internet but not LAN Access
On 13/01/2014 20:05, Paul wrote:
Try the following test case. Go to the XP virtual machine, use a browser and try... http://156.151.59.35 That should take you to the Sun/Oracle web site. If you do this, it won't work. http://www.sun.com The second of these won't work if you've clobbered the DNS server - but surely, the first won't work either unless you've specified a valid gateway address. Clobber that too, and you should be ok. -- Cheers, Roger ____________ Please reply to Newsgroup. Whilst email address is valid, it is seldom checked. |
#9
|
|||
|
|||
XP Mode - Disable Internet but not LAN Access
On 13/01/2014 20:05, Paul wrote:
On 1/13/2014 6:29 AM, Dick K wrote: On 12/01/2014 19:06, Dick K wrote: For security reasons I'd like to disable internet access on the XP virtual machine before XP support ends in April, but retain LAN access. Thank you Ammammata and Roger. Your procedure worked flawlessly. Try the following test case. Go to the XP virtual machine, use a browser and try... http://156.151.59.35 That should take you to the Sun/Oracle web site. If you see the Oracle web page render, that's to tell you how "blocked" the connection is. Blocking DNS is not blocking (entirely) network access. Just so you're aware of the hole. What it does take away, is easy access for any tool that uses symbolic IP addresses. A tool using a numeric IP address (requiring no DNS lookup), can still get through. And that's what my test case would be demonstrating. If you do this, it won't work. http://www.sun.com You could add blocking rules to the Windows Firewall (like block port 80 outgoing, as a starting point). But that's not really foolproof either. You have to know the port numbers for http, https and the alternate port numbers like 8080 sometimes used. For example: http:/111.222.33.45:8080 would attempt an outgoing connection on port 8080. The various networking modes in Windows Virtual PC are described here. I was thinking that maybe MAC filtering would work, but MAC filtering doesn't appear to work the way I think it does. Maybe a "managed" router box would actually filter on MAC addresses - at work, we couldn't move a machine from one part of the building to another, since the routers knew which MAC addresses belonged there. It's possible a more fully-featured router could stop a particular MAC address from getting out to the Internet side. http://blogs.technet.com/b/windows_v...irtual-pc.aspx I haven't heard of any nice neat "one tick box" solutions for this. That doesn't mean they don't exist though, in the form of third party software. While Windows has Parental Blocking, that's not really complete enough for a job like this. Paul Many thanks for your usual knowledgeable and comprehensive reply. As you suggested I tried to connect to http://156.151.59.35 using IE8. As with URLs which use domain names the response was 'Internet Explorer cannot display the webpage'. I then ran Network Diagnostics for Windows XP. There was too much output to quote in full but items which struck me as possibly significant but which I'm not competent to understand the implications of we Gateway Diagnostic Gateway (Note - in red with no name displayed) warn - There is no default gateway entry IP layer Diagnostic Corrupted IP routing table Wireless Diagnostic Wireless - Service Disabled Winsock Diagnostic Connectivity is valid for all Winsock service providers HTTP,HTTPS,FTP Diagnostic error Could not make an HTTP connection error Could not make an HTTPS connection error Could not make an FTP connection Considering that my VM is sitting behind a NAT router, is used solely for printer and scanner support and is, I assume, effectively sandboxed I'm tempted to accept my current level of risk for the time being. Which is not to say that a definitive solution is not desirable or perhaps critical for some business users. -- Dick K |
#10
|
|||
|
|||
XP Mode - Disable Internet but not LAN Access
Il Mon, 13 Jan 2014 15:05:46 -0500, Paul ha scritto:
Try the following test case. Go to the XP virtual machine, use a browser and try... http://156.151.59.35 That should take you to the Sun/Oracle web site. even with an empty gateway? -- /-\ /\/\ /\/\ /-\ /\/\ /\/\ /-\ T /-\ |
#11
|
|||
|
|||
XP Mode - Disable Internet but not LAN Access
On 13/01/2014 23:32, Paul wrote:
On 1/13/2014 6:16 PM, Ammammata wrote: Il Mon, 13 Jan 2014 15:05:46 -0500, Paul ha scritto: Try the following test case. Go to the XP virtual machine, use a browser and try... http://156.151.59.35 That should take you to the Sun/Oracle web site. even with an empty gateway? So is a gateway address necessary to validate the "thing" there, is a potential router ? I've never tried messing around with the gateway address. In the past, when DNS was broken, it was a simple enough matter to keep a few "canned" ones like this, to reach stuff. http://156.151.59.35 But I've never tried that with the gateway value messed up. Paul I used to use fixed IP addresses throughout my network, rather than using DHCP. I sometimes swapped between routers which used different default gateway addresses. This resulted in zero internet connectivity until I'd changed the gateway address on all my PCs, even though the PCs could see each other ok without doing that. This was the basis of my suggestion to the OP to cobble the gateway address on the virtual machine. -- Cheers, Roger ____________ Please reply to Newsgroup. Whilst email address is valid, it is seldom checked. |
#12
|
|||
|
|||
XP Mode - Disable Internet but not LAN Access
On Mon, 13 Jan 2014 18:32:52 -0500, Paul wrote:
On 1/13/2014 6:16 PM, Ammammata wrote: Il Mon, 13 Jan 2014 15:05:46 -0500, Paul ha scritto: Try the following test case. Go to the XP virtual machine, use a browser and try... http://156.151.59.35 That should take you to the Sun/Oracle web site. even with an empty gateway? So is a gateway address necessary to validate the "thing" there, is a potential router ? I've never tried messing around with the gateway address. When you attempt to access a resource by its IP address, your IP stack compares the distant address with your local address, taking the netmask into consideration. If the two addresses are determined to be on the same network, your machine sends an ARP broadcast that asks the target to reply with its MAC address. Every machine on the LAN ignores the ARP request except the machine that has the matching address. It replies directly to the requesting system with its MAC address and all future communications simply use their respective MAC addresses, re-ARPing when necessary. OTOH, if the target address is not in your subnet, the request is sent to your locally configured gateway for additional processing; i.e., meaning forwarding toward the intended destination. Thus, if you simply don't specify a gateway address, all off-LAN communications are blocked. There's no need to mangle the gateway address, as someone suggested. Just leave it blank. For an extra bit of security, if you don't want DNS requests to leak off of the LAN, you can also blank the DNS settings. DNS isn't typically used with a home LAN setup so it won't affect intraLAN communications. -- Char Jackson |
Thread Tools | |
Display Modes | Rate This Thread |
|
|