Airmaster Posted May 29, 2019 Share Posted May 29, 2019 I would like some advice in securing virtual machines so that they cannot connect to Unraid network shares or my LAN. My configuration PFSense on its own computer, with three NICs, WAN, LAN (10.99.2.X/24) , and Other (10.99.3.X/24) Unraid w/ 4 NICs, one on LAN (10.99.2.10, br0) and one on Other (10.99.3.10, br2), Other is directly connected to the PFSense machine, no switch UBuntu VM, currently on br2 PFSense rules (plan to port forward 25565 to whatever IP the Minecraft server has) Block access from Other to LAN Allow access from Other to All One concern I have is that the VM can access Unraid through 10.99.3.10. Is this an issue? Can you block this access? I don't have SMB installed on UBuntu, and plan to run Minecraft from a non-administrator (I hate calling it that, but UBuntu seems to not really have a root, just a sudo). Another option I have seen is to use vibr0, and I know that it is supposed to deny network access, but allow outgoing WAN. The documentation isn't clear if I can port forward to it so that is supports Minecraft (incoming WAN). Also, what subnet does vibr0 use, 10.99.2.x, or 10.99.3.x. I didn't see where it was configured, just that it was automatically created. Any problems with either solution, vibr0 or br2? Quote Link to comment
Airmaster Posted May 31, 2019 Author Share Posted May 31, 2019 It seems regardless of vibr0 or br2, its not possible to prevent a VM from accessing a Unraid network share, unless you set them all to secure or private. Is this the case? Quote Link to comment
Airmaster Posted May 31, 2019 Author Share Posted May 31, 2019 I did find this thread, but some of the advice makes no sense. Once recommendation was to use a separate subnet and block traffic at the router between them, but my access to Unraid shares are on the connection to the same subnet (10.99.3.x) that the VM is on, and that doesn't pass through the router. It isn't like I can't assign a 3.x address to the router, if I want to be able to bridge it to the VM. Quote Link to comment
Airmaster Posted May 31, 2019 Author Share Posted May 31, 2019 Well, no responses, so I just went into the Ubunto VM, and used ufw: sudo ufw allow 25565 sudo ufw deny out from any to 10.99.3.10 That seems to work. Allows Minecraft in, and blocks access to Unraid. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.