Can 'not' block virtualbox traffic with firewall

Discussions related to using VirtualBox on Windows hosts.

Can 'not' block virtualbox traffic with firewall

Postby deanwarrenuk » 5. Sep 2019, 09:59

I am trying to configure my Windows system such I can block VirtualBox VM traffic to for example the internet but not the local network. That is I have some services on my local network that my VMs must access but I want to block all traffic outside of the local network e.g. to and from the Internet.

I am using Windows 10 and chose to use the Windows Firewall as the configuration can be added to group policy and enforced for all users. I note VirtualBox has several services and processes, and assume virtualboxvm.exe is the process for the running VM (?). I then configure rules to block all protocols and ports for the virtualboxvm.exe for all networks (domain, private, public) both inbound and outbound. However, when running a simple ping or browser on the VM access to the internet is still possible. My rule works fine when I change it to apply for all executables.

Any ideas why I cannot block VirtualBox network traffic via the Windows Firewall?
deanwarrenuk
 
Posts: 1
Joined: 5. Sep 2019, 09:51

Re: Can 'not' block virtualbox traffic with firewall

Postby scottgus1 » 5. Sep 2019, 14:48

As far as I know, Virtualbox attaches its networks further down the network stack and is not affected by the Windows Firewall. Virtualbox also does not contain a built-in way to block internet to a particular guest.

To block Internet from a guest, you need to Bridge the guest so it appears in your physical LAN along with all your other devices (yours is probably Bridged anyway so other devices can access the guest services), and so the network router can see the guest directly by IP address, MAC address, or guest OS network name. Then use your router's Access Restrictions or Parental Controls, or whatever the router calls them, to block internet to your guest's PC name or MAC address or IP address. (Note that IP addresses can change unless you set up static IP in the guest OS.)

NAT and NAT network also allow internet into guests. I do not know if it is possible to block a guest at the router when it is NATted or NAT-networked. If the guest MAC address appears it may be possible.
Human government is like that crazy uncle who hides a quarter in his fist behind his back, then asks you to guess which fist the quarter is in...
No matter which side you choose, Left or Right, both Sides are empty.
scottgus1
Volunteer
 
Posts: 4502
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Win7

Re: Can 'not' block virtualbox traffic with firewall

Postby socratis » 5. Sep 2019, 15:20

deanwarrenuk wrote:I am trying to configure my Windows system such I can block VirtualBox VM traffic to for example the internet but not the local network
Then you got to block your VM at the router level. No magic on the host will do that for you. Unless if "local network (LAN)"="your host", then you could use a HostOnly network option. But this is not what you want. Once the packet has left your host (to access the LAN), there's nothing you can do about it. Only at the router level that connects LAN to Internet can you block it.

deanwarrenuk wrote:and assume virtualboxvm.exe is the process for the running VM (?)
Correct.

deanwarrenuk wrote:I then configure rules to block all protocols and ports for the virtualboxvm.exe for all networks (domain, private, public) both inbound and outbound
If the block was enforceable, you can forget about talking to the LAN, the packets couldn't leave your host.

deanwarrenuk wrote:My rule works fine when I change it to apply for all executables.
That's interesting... I wonder what could be "THE executable" that's affecting this. If you do block all executables (How?), do you have network traffic from your host?

scottgus1 wrote:As far as I know, Virtualbox attaches its networks further down the network stack and is not affected by the Windows Firewall.
I think you're right Scott, since the Bridged filter is inserted at the driver level, way below the firewall has a chance of seeing it.

scottgus1 wrote:Then use your router's Access Restrictions or Parental Controls, or whatever the router calls them, to block internet to your guest's PC name or MAC address or IP address
Hallelujah! That's what I've been saying ... no, wait... you said it first! :)

Take a look at the thread "How to keep virtual machine off the Internet?" that was recently discussed...

scottgus1 wrote:I do not know if it is possible to block a guest at the router when it is NATted or NAT-networked. If the guest MAC address appears it may be possible.
I don't think it does. Just like if you have multiple computers in your LAN and you're trying to use a tool like "What's my IP?", they all look the same; the router's IP...
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
socratis
Site Moderator
 
Posts: 26128
Joined: 22. Oct 2010, 11:03
Location: Greece
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5


Return to VirtualBox on Windows Hosts

Who is online

Users browsing this forum: Google [Bot] and 26 guests