FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 11-10-2010, 08:36 PM
"Russell L. Harris"
 
Default sandbox for Window$

I think that my need is for a "sandbox" to isolate a Window$ computer.

I wish files on a machine running Window$ to be accessible to other
computers in the LAN, while preventing the Window$ machine from
accessing the Internet for http, ftp, email, etc. And, the Window$
machine must not be able to see or communicate with other machines in
the LAN, except for file transfers initiated by the other machines.

RLH


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20101110213657.GA3376@rlharris.org">http://lists.debian.org/20101110213657.GA3376@rlharris.org
 
Old 11-11-2010, 07:15 AM
"Boyd Stephen Smith Jr."
 
Default sandbox for Window$

In <20101110213657.GA3376@rlharris.org>, Russell L. Harris wrote:
>I think that my need is for a "sandbox" to isolate a Window$ computer.

Assuming by "Window$" you mean MS Windows, you are posting to the wrong forum.
This forum is not for MS Windows support issues.

OTOH, A sufficiently tuned iptables setup could do this on a Linux system, so
there may be a similar solution with the MS Windows firewall or third-party
firewall software for that OS.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
 
Old 11-11-2010, 07:33 AM
"Russell L. Harris"
 
Default sandbox for Window$

* Boyd Stephen Smith Jr. <bss@iguanasuicide.net> [101111 08:21]:
> In <20101110213657.GA3376@rlharris.org>, Russell L. Harris wrote:
> >I think that my need is for a "sandbox" to isolate a Window$ computer.
>
> Assuming by "Window$" you mean MS Windows, you are posting to the wrong forum.
> This forum is not for MS Windows support issues.

I am not looking for MS Window$ support; actually, this question is
applicable to any OS. The issue is isolation of a particular machine
having files to which machines in a protected network require access.

Perhaps I should have made clear the fact that I have a LAN composed
of machines running Debian, and I am loathe to allow a M$ Window$
machine (possibly infected with malware) to connect directly to the
LAN.



> OTOH, A sufficiently tuned iptables setup could do this on a Linux system, so
> there may be a similar solution with the MS Windows firewall or third-party
> firewall software for that OS.

I have not learned how to work with iptables, but I am thinking that a
Linux-based firewall-router such as SmoothWall might fill my need,
with the Window$ machine on the PURPLE (wi-fi) or ORANGE (public
server) port.

RLH


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20101111083355.GA3332@rlharris.org">http://lists.debian.org/20101111083355.GA3332@rlharris.org
 
Old 11-11-2010, 07:45 AM
Camaleón
 
Default sandbox for Window$

On Wed, 10 Nov 2010 21:36:57 +0000, Russell L. Harris wrote:

> I think that my need is for a "sandbox" to isolate a Window$ computer.
>
> I wish files on a machine running Window$ to be accessible to other
> computers in the LAN, while preventing the Window$ machine from
> accessing the Internet for http, ftp, email, etc.

Disable "gateway" in that windows box (only lan connection). A more
complicated setup may involve a proxy.

> And, the Window$
> machine must not be able to see or communicate with other machines in
> the LAN, except for file transfers initiated by the other machines.

It must be able to communicate with other computers if you want to allow
file transfers... if using SMB protocol (and samba at linux side), you
can restrict what linux resources are visible in windows neighborhood.
You could also use SSH (or SFTP) just for one-way file transfers.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2010.11.11.08.45.27@gmail.com">http://lists.debian.org/pan.2010.11.11.08.45.27@gmail.com
 
Old 11-11-2010, 07:51 AM
Liam O'Toole
 
Default sandbox for Window$

On 2010-11-11, Russell L. Harris <rlharris@broadcaster.org> wrote:
> * Boyd Stephen Smith Jr. <bss@iguanasuicide.net> [101111 08:21]:
>> In <20101110213657.GA3376@rlharris.org>, Russell L. Harris wrote:
>> >I think that my need is for a "sandbox" to isolate a Window$ computer.
>>
>> Assuming by "Window$" you mean MS Windows, you are posting to the wrong forum.
>> This forum is not for MS Windows support issues.
>
> I am not looking for MS Window$ support; actually, this question is
> applicable to any OS. The issue is isolation of a particular machine
> having files to which machines in a protected network require access.
>
> Perhaps I should have made clear the fact that I have a LAN composed
> of machines running Debian, and I am loathe to allow a M$ Window$
> machine (possibly infected with malware) to connect directly to the
> LAN.

If it's just Windows-style file sharing you want, then you can achieve
that by installing a Samba server on one of the Debian machines. No need
for a Windows installation at all.

And if you want such file-sharing in an otherwise Debian-only
environment, then I am puzzled. Surely NFS, SFTP, etc, would be better
choices.

>> OTOH, A sufficiently tuned iptables setup could do this on a Linux system, so
>> there may be a similar solution with the MS Windows firewall or third-party
>> firewall software for that OS.
>
> I have not learned how to work with iptables, but I am thinking that a
> Linux-based firewall-router such as SmoothWall might fill my need,
> with the Window$ machine on the PURPLE (wi-fi) or ORANGE (public
> server) port.
>

Just about any router running iptables will allow you to isolate the
Windows machine to your needs.

--
Liam O'Toole
Cork, Ireland



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: slrnidnbk0.2oo.liam.p.otoole@dipsy.tubbynet">http://lists.debian.org/slrnidnbk0.2oo.liam.p.otoole@dipsy.tubbynet
 
Old 11-11-2010, 08:59 AM
"Russell L. Harris"
 
Default sandbox for Window$

* Camaleón <noelamac@gmail.com> [101111 08:49]:
> Disable "gateway" in that windows box (only lan connection).

This may be what I was trying to figure out.

I hate the very thought of using Window$, but I have two or three
devices with USB interface for which no other approach appears
practical.



> if using SMB protocol (and samba at linux side), you can restrict
> what linux resources are visible in windows neighborhood. You could
> also use SSH (or SFTP) just for one-way file transfers.

Thanks! Years ago I used Samba, but I have forgotten many of the
details.

RLH


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20101111095931.GB3332@rlharris.org">http://lists.debian.org/20101111095931.GB3332@rlharris.org
 
Old 11-11-2010, 12:19 PM
Chris Davies
 
Default sandbox for Window$

Russell L. Harris <rlharris@broadcaster.org> wrote:
> I wish files on a machine running Window$ to be accessible to other
> computers in the LAN, while preventing the Window$ machine from
> accessing the Internet for http, ftp, email, etc. And, the Window$
> machine must not be able to see or communicate with other machines in
> the LAN, except for file transfers initiated by the other machines.

If you were to run MS Windows in a VM or behind a Linux-based server you
could use iptables to do this. You would probably benefit from something
to help you set up the rules in the FORWARD chain. For example -

FORWARD: From MS Windows to LAN
Allow established
DENY all

FORWARD: From MS Windows to Anywhere
DENY all

FORWARD: From LAN to MS Windows
Allow all

FORWARD: From Anywhere to MS Windows
DENY all

My preferred subsystem layer is shorewall. Others will prefer different
subsystems, including GUI-based helpers. Still others will prefer writing
iptables rules directly.

Chris


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: f37tq7x4b8.ln2@news.roaima.co.uk">http://lists.debian.org/f37tq7x4b8.ln2@news.roaima.co.uk
 
Old 11-11-2010, 12:45 PM
Rob Owens
 
Default sandbox for Window$

On Thu, Nov 11, 2010 at 08:33:55AM +0000, Russell L. Harris wrote:
> * Boyd Stephen Smith Jr. <bss@iguanasuicide.net> [101111 08:21]:
> > In <20101110213657.GA3376@rlharris.org>, Russell L. Harris wrote:
> > >I think that my need is for a "sandbox" to isolate a Window$ computer.
> >
> > Assuming by "Window$" you mean MS Windows, you are posting to the wrong forum.
> > This forum is not for MS Windows support issues.
>
> I am not looking for MS Window$ support; actually, this question is
> applicable to any OS. The issue is isolation of a particular machine
> having files to which machines in a protected network require access.
>
> Perhaps I should have made clear the fact that I have a LAN composed
> of machines running Debian, and I am loathe to allow a M$ Window$
> machine (possibly infected with malware) to connect directly to the
> LAN.
>
>
>
> > OTOH, A sufficiently tuned iptables setup could do this on a Linux system, so
> > there may be a similar solution with the MS Windows firewall or third-party
> > firewall software for that OS.
>
> I have not learned how to work with iptables, but I am thinking that a
> Linux-based firewall-router such as SmoothWall might fill my need,
> with the Window$ machine on the PURPLE (wi-fi) or ORANGE (public
> server) port.
>
I think you could just put a standard router in between them. Put the
Windows machine on the WAN port of the router, and the Linux machines on
the LAN ports. The Windows machine would then be "public" and the Linux
machines would be "private". Just make sure the firewall is enabled on
the router.

-Rob


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20101111134503.GB18458@aurora.owens.net">http://lists.debian.org/20101111134503.GB18458@aurora.owens.net
 
Old 11-11-2010, 01:44 PM
Nuno Magalhăes
 
Default sandbox for Window$

If you wanna sandbox Windows you sh/could use a VM (virtualbox is
neat), along with separate partitions, chroots, etc. You can also tune
your Windows, but that depends on its version and is OT in there
lists, obviously. 2K8 has extensive firewall configurations and some
snap-ins for "unix file sharing" or something.

If you want it to share files with the rest of the (mostly linux)
network, you could use Samba and already suggested. Or FTP, HTTP, SSH
etc etc.

If you're worried windows-malware will infect your linux LAN, use a
firewall. Shorewall was suggested and i second that. There's also
Firestarter if you prefer a GUI. This depends on how your network is
setup. If you're using VMs you can use iptables on the host; if not,
depends on the routers' flexibility. Also use clamav, available for
both OS families.

HTH,
Nuno

--
Mars 2 Stay!
http://xkcd.com/801/
/etc


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTim8DAYUFmXYyS7pP4J21wBzvKT5ym-=ynnY+KEE@mail.gmail.com">http://lists.debian.org/AANLkTim8DAYUFmXYyS7pP4J21wBzvKT5ym-=ynnY+KEE@mail.gmail.com
 

Thread Tools




All times are GMT. The time now is 09:51 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org