virtualbox.org

I am currently running Comodo ISP as the firewall on my host system (XP sp3). I see a variety of traffic from vbox and I can't seem to make sense of it. Some of the traffic originates from the IP of my host machine (192.168.10.168), some of the traffic originates from a different IP on my local net(192.168.56.1). The traffic from 192.168.56.1 is all UDP to 255.255.255.255 at a variety of ports. On my host system, applications are white listed, meaning that applications have to ask for internet access unless I have made a rule for that application. Such rules are pretty specific and I really only allow access to a few programs. Is there a write up somewhere for how vbox handles network traffic? Looking at these logs, there is no way to tell what application running in the VM is requesting access, so I have no effective way to monitor and limit traffic as I normally would. I either have to white list vbox, or approve each connection separately. I guess the alternative is to run Comodo ISP in the VM as well, but I was hoping to avoid that. For some of these VMs, I will just disable the network adapter once I have things set up since I will not need net access from the VM.

Is there any reading I can do on how folks handle this kind of thing?

LMHmedchem

192.168.56.1 is the interface on the host computer which is used for host-only communication ie for communication between the host and guest. The guest will also have a 192.168.56.x address if you have a NIC set to host only.

If you are not using the host only network (ie do not have a host only NIC in the guest), you can disable this interface (from network connections on the host).

If you are using bridged networking (I assume you are and that 192.168.10 is the IP subnet used on your physical LAN) the operation of the firewall will be unpredictable. In theory the firewall in the OS will not see the traffic from the vm at all, because it has its own MAC address and its own IP address. The filter driver should separate traffic addressed to ((or coming from) the guest. In actual fact firewall software gets down into the network layer (using promiscuous mode) and can see the traffic going from the virtual to the physical networks. However how it interprets it is not reliable because it is not really aware of how the virtual networking software works, or even that the virtual network exists.

If you want to control what traffic can leave the vm you will need to run firewall software in the vm itself (or at your gateway router).

Thanks for the information, that is helpful. I am just learning how vbox works, so it is set up with the defaults for more or less everything. Networking is set up as NIC. Since I have not white listed vbox, I am getting allot of prompts in my host firewall that appear to be related to the VM traffic. When I open ie in my VM, my host firewall gives me a prompt that vbox wants to connect to 8.26.56.26:53, which is my DNS (Comodo). If I approve that, I get a second request to connect to 255.255.255.255:137 (nbname), and I'm not sure what that is for. If I approve that, I get a request to connect to 173.194.115:80, which is at Google (my home page). Once ie is open, I don't get prompts for every connection that the browser makes. I get similar connection patterns with firefox. I also get connections from vbox to 255.255.255.255:138 (ndbgram).

It would be nice to have this set up as you were describing bridged networking. This would let me separate the traffic from vbox (updates and such) from the traffic of applications running in the VM. I can run a firewall in the VM if I need to. Many of the VMs I end up with will have disabled network adapters, since they don't need to do anything on line. Can I switch a VM to bridged networking, or do I need to start again?

LMHmedchem

Pots 137-139 are the Netbios ports. They will also be name resolution, but using Netbios names not DNS names. Port 80 is HTTP, so you would expect a web page request to use it.

You can use bridged mode if your host machine is connected to a LAN. You cannot use it if your host is directly connected to the Internet. Just assign your NIC to bridged mode in the network settings of the vm and select the physical NIIC to bridge to.

BillG wrote:You can use bridged mode if your host machine is connected to a LAN. You cannot use it if your host is directly connected to the Internet. Just assign your NIC to bridged mode in the network settings of the vm and select the physical NIIC to bridge to.

My host machine is on a LAN router (sofaware). When I go to the network settings, if I change "Attached to" from "NAT" to "bridged adapter", I get a warning that "no bridged adapter is selected". The only option under "Name" is "not selected". It won't let me use those setting, so I must be missing a step here. Under file > settings > network, under the list of host only networks, there is one host only network listed. I can add a second host only network to the list, but that doesn't do anything. Am I missing something in my install? Having host only networks doesn't seem to make sense for what I am doing, since I am trying to set up the guest to have it's own address on my local net.

LMHmedchem

I can't see your physical machine, so you need to be more specific about how it is set up.

Using a software router is fine, as long as your host actually connects to it using a physical NIC plugged into a physical switch. The filter driver for bridged networking has to work with the driver in the host OS for the physical NIC. If this NIC is not showing up as selectable for bridging, VirtualBox does not see it as a NIC.

If you do have a physical NIC in the host, can you see it from Network Connections in XP?

BillG wrote:I can't see your physical machine, so you need to be more specific about how it is set up.

Using a software router is fine, as long as your host actually connects to it using a physical NIC plugged into a physical switch. The filter driver for bridged networking has to work with the driver in the host OS for the physical NIC. If this NIC is not showing up as selectable for bridging, VirtualBox does not see it as a NIC.

If you do have a physical NIC in the host, can you see it from Network Connections in XP?

I guess I wasn't clear, "Sofaware" is the brand of my hardware router, it's not a software router. My connection is typical with a NIC on my motherboard, connected to my router, connected to my cable modem. In my host XP Network Connections, I have;

1394 connection
Local Area Connection
Local Area Connection 2 (my motherboard has dual LAN)
VirtualBox Host-Only Network

It seems that there were some options for this kind of thing in the vbox installer, but I don't quite remember.

LMHmedchem

You should be able to link to either of the LACs.

The option in the VirtualBox setup is to not install host only and bridged networking. By default they are both installed.

When you look at the properties of each NIC from XP, do you see an entry for VirtualBox Bridged Networking Driver? Is there a check mark in the box? If there is, you should be able to select either of them for bridging from the vm settings.

The virtual box bridged networking driver was not in the list. I must have somehow not got it installed. I decided to uninstall and reinstall vbox and everything is working now. I was able to change over my VMs to bridged networking and everything seems to be working properly now. When I start a VM, the IP for the VM shows up on my firewall control panel, and when I make a connection from inside a VM, I am not getting an alert on my host firewall, so it looks like everything is good. I will have to run appropriate firewalls in my VMs, or else disable the VM network card.

Thanks for all the help. There is no substitute for users who have done it all before, so thanks for sharing your experience.

LMHmedchem

Glad to hear that you sorted it out. Re-installing VirtualBox was the correct next step.