I am trying to configure my Windows system such I can block VirtualBox VM traffic to for example the internet but not the local network. That is I have some services on my local network that my VMs must access but I want to block all traffic outside of the local network e.g. to and from the Internet.
I am using Windows 10 and chose to use the Windows Firewall as the configuration can be added to group policy and enforced for all users. I note VirtualBox has several services and processes, and assume virtualboxvm.exe is the process for the running VM (?). I then configure rules to block all protocols and ports for the virtualboxvm.exe for all networks (domain, private, public) both inbound and outbound. However, when running a simple ping or browser on the VM access to the internet is still possible. My rule works fine when I change it to apply for all executables.
Any ideas why I cannot block VirtualBox network traffic via the Windows Firewall?
Can 'not' block virtualbox traffic with firewall
-
- Posts: 1
- Joined: 5. Sep 2019, 09:51
-
- Site Moderator
- Posts: 20945
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Windows, Linux
Re: Can 'not' block virtualbox traffic with firewall
As far as I know, Virtualbox attaches its networks further down the network stack and is not affected by the Windows Firewall. Virtualbox also does not contain a built-in way to block internet to a particular guest.
To block Internet from a guest, you need to Bridge the guest so it appears in your physical LAN along with all your other devices (yours is probably Bridged anyway so other devices can access the guest services), and so the network router can see the guest directly by IP address, MAC address, or guest OS network name. Then use your router's Access Restrictions or Parental Controls, or whatever the router calls them, to block internet to your guest's PC name or MAC address or IP address. (Note that IP addresses can change unless you set up static IP in the guest OS.)
NAT and NAT network also allow internet into guests. I do not know if it is possible to block a guest at the router when it is NATted or NAT-networked. If the guest MAC address appears it may be possible.
To block Internet from a guest, you need to Bridge the guest so it appears in your physical LAN along with all your other devices (yours is probably Bridged anyway so other devices can access the guest services), and so the network router can see the guest directly by IP address, MAC address, or guest OS network name. Then use your router's Access Restrictions or Parental Controls, or whatever the router calls them, to block internet to your guest's PC name or MAC address or IP address. (Note that IP addresses can change unless you set up static IP in the guest OS.)
NAT and NAT network also allow internet into guests. I do not know if it is possible to block a guest at the router when it is NATted or NAT-networked. If the guest MAC address appears it may be possible.
-
- Site Moderator
- Posts: 27329
- Joined: 22. Oct 2010, 11:03
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Win(*>98), Linux*, OSX>10.5
- Location: Greece
Re: Can 'not' block virtualbox traffic with firewall
Then you got to block your VM at the router level. No magic on the host will do that for you. Unless if "local network (LAN)"="your host", then you could use a HostOnly network option. But this is not what you want. Once the packet has left your host (to access the LAN), there's nothing you can do about it. Only at the router level that connects LAN to Internet can you block it.deanwarrenuk wrote:I am trying to configure my Windows system such I can block VirtualBox VM traffic to for example the internet but not the local network
Correct.deanwarrenuk wrote:and assume virtualboxvm.exe is the process for the running VM (?)
If the block was enforceable, you can forget about talking to the LAN, the packets couldn't leave your host.deanwarrenuk wrote:I then configure rules to block all protocols and ports for the virtualboxvm.exe for all networks (domain, private, public) both inbound and outbound
That's interesting... I wonder what could be "THE executable" that's affecting this. If you do block all executables (How?), do you have network traffic from your host?deanwarrenuk wrote:My rule works fine when I change it to apply for all executables.
I think you're right Scott, since the Bridged filter is inserted at the driver level, way below the firewall has a chance of seeing it.scottgus1 wrote:As far as I know, Virtualbox attaches its networks further down the network stack and is not affected by the Windows Firewall.
Hallelujah! That's what I've been saying ... no, wait... you said it first!scottgus1 wrote:Then use your router's Access Restrictions or Parental Controls, or whatever the router calls them, to block internet to your guest's PC name or MAC address or IP address
Take a look at the thread "How to keep virtual machine off the Internet?" that was recently discussed...
I don't think it does. Just like if you have multiple computers in your LAN and you're trying to use a tool like "What's my IP?", they all look the same; the router's IP...scottgus1 wrote:I do not know if it is possible to block a guest at the router when it is NATted or NAT-networked. If the guest MAC address appears it may be possible.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.