Proper setup for virtual machines

OK, I’m a total noob with CIS Firewall. So, apologies in advance. :slight_smile:

I’ve had McAfee software for quite some time, and their firewall is useless as far as configuration. Also tried ZoneAlarm, and I’m not sure it can be configured the way I need either. So, I just installed Comodo CIS Firewall tonight.

My host machine is an Intel Core 2 Quad tower running Windows 7 Home Premium 64-bit. Subnet mask is currently 255.255.254.0 and gateway is 192.168.0.1, which is my router - a NetGear FVS338. I have my network set up in two ranges:

  1. 192.168.0.1 - 192.168.0.255: trusted machines with static IP addresses.
  2. 192.168.1.1 - 192.168.1.255: DHCP allocated for untrusted guest machines.

I have Parallels Desktop for Windows/Linux version 4.0 installed on the tower for virtual machine usage. When installed, it sets up two virtual network adapters. One is “Parallels Host Only Networking” (10.37.131.2/255.255.255.0) and the other is “Parallels Shared Networking Adapter” (10.37.130.2/255.255.255.0). I believe Parallels internally uses IP/NAT via one of the virtual adapters to get the VMs to the Internet. The VM operating systems are configured to use DHCP to get their usable IP addresses, so they end up in my 192.168.1.x IP range.

ZoneAlarm has a crude concept of “Zones.” When putting the virtual network adapters in the “Internet” zone (which it does by default), ZoneAlarm on the tower host would block access back to them from the Internet. The virtual network adapters had to be put into the “Trusted” zone in order for the VMs in Parallels to get any Internet access at all. From my understanding, this could allow a network based virus or malware to infect the host machine.

What I would like is to configure CIS Firewall to allow both my tower host machine and the virtual machines to function on the Internet. I might even be using one ore more of the VMs as servers. So, if possible, I would like to set CIS Firewall to protect the tower host machine from threats on the Internet, from machines in my untrusted 192.168.1.x range, and also protect it from the VMs running Parallels in case one of those gets an infection of some sort.

I am willing to make any changes necessary to make this work. Please let me know if you need more information, and what suggestions you have for how I should configure CIS Firewall.

Thank you very much in advance!


Michael

I am not sure wether this will work for you or not.

I also have Vmplayer installed on my machine and it creates two additinal Networks which are bridged to your real( hardware one) Ethernet adapter.

To allow internet acess for for your VM machne Do not block the virtual network card created by setup.
Sometime it is observed that DNS request is made by your real( hardware) adaptor while internet conection is performed by Virtual connector when you are using linux on VMs.

also one VM’s adapter is for auiring ip address from DHCP do not block it also. if you want your guest os to connect to internet.

Adi

Right, done that. Wondering if there’s a way to setup CIS Firewall to allow Internet access to the VM’s, but still protect the host from network based viruses/spyware/malware/etc ?

The best way to protect your VM is to install the firewall in the VM itself, especially for outgoing traffic. The host CFP only sees the VM software (e.g. Virtualbox.exe) pushing traffic through, not each application that the guest OS is running.

Hope this makes sense.

Cheers

Had that thought earlier today … putting both firewall and anti-virus inside the VM’s themselves. That’s probably what I’ll do.