XP Mode - Disable Internet but not LAN Access

I'm running Win 7 Pro with an Ethernet connection to a
router. I use XP Mode to support my elderly but still
functional printer and scanner. Windows Virtual Machine
is configured to use the host's NIC and thus my XP
virtual machine appears as a terminal node on my LAN,
which facilitates printer and file sharing. For security
reasons I'd like to disable internet access on the
XP virtual machine before XP support ends in April, but
retain LAN access. The obvious place to do that would
be at the router but Google suggests that my particular
model doesn't allow access control of an Ethernet
connected device and I haven't discovered any other
straightforward method of achieving the same objective.

Sorry if this is a bit OT but I'm hoping for indulgence
and that suggestions on how I might proceed will be
forthcoming.

--

Dick K

Il Sun, 12 Jan 2014 19:06:22 +0000, Dick K ha scritto:

I'd like to disable internet access on the XP virtual machine before XP
support ends in April

force a proper IP address/subnetmask and leave blank the gateway/
dnsservers



--
/-\ /\/\ /\/\ /-\ /\/\ /\/\ /-\ T /-\

On 12/01/2014 19:06, Dick K wrote:
I'm running Win 7 Pro with an Ethernet connection to a
router. I use XP Mode to support my elderly but still
functional printer and scanner. Windows Virtual Machine
is configured to use the host's NIC and thus my XP
virtual machine appears as a terminal node on my LAN,
which facilitates printer and file sharing. For security
reasons I'd like to disable internet access on the
XP virtual machine before XP support ends in April, but
retain LAN access. The obvious place to do that would
be at the router but Google suggests that my particular
model doesn't allow access control of an Ethernet
connected device and I haven't discovered any other
straightforward method of achieving the same objective.

Sorry if this is a bit OT but I'm hoping for indulgence
and that suggestions on how I might proceed will be
forthcoming.


I may need to do something similar for my wife's machine if I upgrade it
to W7 because she's got a lot of stuff which will run under XP but
probably not under W7.

One possibility is to go to network settings, and specify a fixed IP
address in the same subnet as the rest of your LAN (but outside the
range allocated by the router's DHCP server) and then specify an invalid
Gateway Address. It will then hopefully still be able to talk to other
devices on your network - including its host machine - but it won't be
able to access the outside world.
--
Cheers,
Roger
____________
Please reply to Newsgroup. Whilst email address is valid, it is seldom
checked.

On 12/01/2014 19:06, Dick K wrote:

For security
reasons I'd like to disable internet access on the
XP virtual machine before XP support ends in April, but
retain LAN access.


Thank you Ammammata and Roger. Your procedure worked
flawlessly.

--

Dick K

On Sun, 12 Jan 2014 20:29:53 +0000, Roger Mills
wrote:

I may need to do something similar for my wife's machine if I upgrade it
to W7 because she's got a lot of stuff which will run under XP but
probably not under W7.



There are some programs that run under XP but not 7. But not very
many. In most cases, if it runs under XP it will run under 7.

On 1/13/2014 12:35 PM, Ken Blake wrote:
There are some programs that run under XP but not 7. But not very
many. In most cases, if it runs under XP it will run under 7.

While generally true, there are tons of things that get in the way with
newer Windows versions. Like the OS itself eats up a lot of processor
power that it ruins everything. While a single core processor under XP
generally has no problems playing videos. Not so with Vista, 7, and 8.
Heck even with multiple core processors recording from a TV tuner and
converting it at the same time is a tough task with Vista or higher. But
with XP this is a piece of cake.

--
Bill
Motion Computing LE1700 Tablet ('09 era) - Thunderbird v12
Centrino Core2 Duo L7400 1.5GHz - 2GB RAM - Windows 8 Professional

On 1/13/2014 6:29 AM, Dick K wrote:
On 12/01/2014 19:06, Dick K wrote:

For security
reasons I'd like to disable internet access on the
XP virtual machine before XP support ends in April, but
retain LAN access.


Thank you Ammammata and Roger. Your procedure worked
flawlessly.


Try the following test case.

Go to the XP virtual machine, use a browser and try...

http://156.151.59.35

That should take you to the Sun/Oracle web site.

If you see the Oracle web page render, that's to tell you
how "blocked" the connection is. Blocking DNS is not
blocking (entirely) network access. Just so you're
aware of the hole. What it does take away, is easy access
for any tool that uses symbolic IP addresses. A tool using
a numeric IP address (requiring no DNS lookup), can
still get through. And that's what my test case
would be demonstrating.

If you do this, it won't work.

http://www.sun.com

You could add blocking rules to the Windows Firewall (like block port 80
outgoing, as a starting point). But that's not really foolproof either.
You have to know the port numbers for http, https and the alternate
port numbers like 8080 sometimes used. For example:

http:/111.222.33.45:8080

would attempt an outgoing connection on port 8080.

The various networking modes in Windows Virtual PC are described here.
I was thinking that maybe MAC filtering would work, but MAC filtering
doesn't appear to work the way I think it does. Maybe a "managed" router
box would actually filter on MAC addresses - at work, we couldn't move
a machine from one part of the building to another, since the routers
knew which MAC addresses belonged there. It's possible a more
fully-featured router could stop a particular MAC address from
getting out to the Internet side.

http://blogs.technet.com/b/windows_v...irtual-pc.aspx

I haven't heard of any nice neat "one tick box" solutions for this.
That doesn't mean they don't exist though, in the form of third
party software. While Windows has Parental Blocking, that's not really
complete enough for a job like this.

Paul

On 13/01/2014 20:05, Paul wrote:

Try the following test case.

Go to the XP virtual machine, use a browser and try...

http://156.151.59.35

That should take you to the Sun/Oracle web site.



If you do this, it won't work.

http://www.sun.com


The second of these won't work if you've clobbered the DNS server - but
surely, the first won't work either unless you've specified a valid
gateway address. Clobber that too, and you should be ok.
--
Cheers,
Roger
____________
Please reply to Newsgroup. Whilst email address is valid, it is seldom
checked.

On 13/01/2014 20:05, Paul wrote:
On 1/13/2014 6:29 AM, Dick K wrote:
On 12/01/2014 19:06, Dick K wrote:

For security
reasons I'd like to disable internet access on the
XP virtual machine before XP support ends in April, but
retain LAN access.


Thank you Ammammata and Roger. Your procedure worked
flawlessly.


Try the following test case.

Go to the XP virtual machine, use a browser and try...

http://156.151.59.35

That should take you to the Sun/Oracle web site.

If you see the Oracle web page render, that's to tell you
how "blocked" the connection is. Blocking DNS is not
blocking (entirely) network access. Just so you're
aware of the hole. What it does take away, is easy access
for any tool that uses symbolic IP addresses. A tool using
a numeric IP address (requiring no DNS lookup), can
still get through. And that's what my test case
would be demonstrating.

If you do this, it won't work.

http://www.sun.com

You could add blocking rules to the Windows Firewall (like block port 80
outgoing, as a starting point). But that's not really foolproof either.
You have to know the port numbers for http, https and the alternate
port numbers like 8080 sometimes used. For example:

http:/111.222.33.45:8080

would attempt an outgoing connection on port 8080.

The various networking modes in Windows Virtual PC are described here.
I was thinking that maybe MAC filtering would work, but MAC filtering
doesn't appear to work the way I think it does. Maybe a "managed" router
box would actually filter on MAC addresses - at work, we couldn't move
a machine from one part of the building to another, since the routers
knew which MAC addresses belonged there. It's possible a more
fully-featured router could stop a particular MAC address from
getting out to the Internet side.

http://blogs.technet.com/b/windows_v...irtual-pc.aspx


I haven't heard of any nice neat "one tick box" solutions for this.
That doesn't mean they don't exist though, in the form of third
party software. While Windows has Parental Blocking, that's not really
complete enough for a job like this.

Paul


Many thanks for your usual knowledgeable and comprehensive
reply.

As you suggested I tried to connect to http://156.151.59.35
using IE8. As with URLs which use domain names the response
was 'Internet Explorer cannot display the webpage'.

I then ran Network Diagnostics for Windows XP. There was
too much output to quote in full but items which struck me
as possibly significant but which I'm not competent to
understand the implications of we

Gateway Diagnostic
Gateway (Note - in red with no name displayed)
warn - There is no default gateway entry

IP layer Diagnostic
Corrupted IP routing table

Wireless Diagnostic
Wireless - Service Disabled

Winsock Diagnostic
Connectivity is valid for all Winsock service providers

HTTP,HTTPS,FTP Diagnostic
error Could not make an HTTP connection
error Could not make an HTTPS connection
error Could not make an FTP connection

Considering that my VM is sitting behind a NAT router, is
used solely for printer and scanner support and is, I
assume, effectively sandboxed I'm tempted to accept my
current level of risk for the time being. Which is not
to say that a definitive solution is not desirable or
perhaps critical for some business users.

--

Dick K

Il Mon, 13 Jan 2014 15:05:46 -0500, Paul ha scritto:

Try the following test case.

Go to the XP virtual machine, use a browser and try...

http://156.151.59.35

That should take you to the Sun/Oracle web site.


even with an empty gateway?



--
/-\ /\/\ /\/\ /-\ /\/\ /\/\ /-\ T /-\

On 13/01/2014 23:32, Paul wrote:
On 1/13/2014 6:16 PM, Ammammata wrote:
Il Mon, 13 Jan 2014 15:05:46 -0500, Paul ha scritto:

Try the following test case.

Go to the XP virtual machine, use a browser and try...

http://156.151.59.35

That should take you to the Sun/Oracle web site.


even with an empty gateway?


So is a gateway address necessary to validate the "thing"
there, is a potential router ? I've never tried messing
around with the gateway address.

In the past, when DNS was broken, it was a simple enough
matter to keep a few "canned" ones like this, to reach stuff.

http://156.151.59.35

But I've never tried that with the gateway value messed up.

Paul



I used to use fixed IP addresses throughout my network, rather than
using DHCP. I sometimes swapped between routers which used different
default gateway addresses. This resulted in zero internet connectivity
until I'd changed the gateway address on all my PCs, even though the PCs
could see each other ok without doing that.

This was the basis of my suggestion to the OP to cobble the gateway
address on the virtual machine.
--
Cheers,
Roger
____________
Please reply to Newsgroup. Whilst email address is valid, it is seldom
checked.

On Mon, 13 Jan 2014 18:32:52 -0500, Paul wrote:

On 1/13/2014 6:16 PM, Ammammata wrote:
Il Mon, 13 Jan 2014 15:05:46 -0500, Paul ha scritto:

Try the following test case.

Go to the XP virtual machine, use a browser and try...

http://156.151.59.35

That should take you to the Sun/Oracle web site.


even with an empty gateway?


So is a gateway address necessary to validate the "thing"
there, is a potential router ? I've never tried messing
around with the gateway address.

When you attempt to access a resource by its IP address, your IP stack
compares the distant address with your local address, taking the netmask
into consideration. If the two addresses are determined to be on the same
network, your machine sends an ARP broadcast that asks the target to reply
with its MAC address. Every machine on the LAN ignores the ARP request
except the machine that has the matching address. It replies directly to the
requesting system with its MAC address and all future communications simply
use their respective MAC addresses, re-ARPing when necessary.

OTOH, if the target address is not in your subnet, the request is sent to
your locally configured gateway for additional processing; i.e., meaning
forwarding toward the intended destination. Thus, if you simply don't
specify a gateway address, all off-LAN communications are blocked. There's
no need to mangle the gateway address, as someone suggested. Just leave it
blank.

For an extra bit of security, if you don't want DNS requests to leak off of
the LAN, you can also blank the DNS settings. DNS isn't typically used with
a home LAN setup so it won't affect intraLAN communications.

--

Char Jackson