Fun with virtual machines

I have been a big fan of virtualization for a long time.  I like experimenting with computers, operating systems, servers and the like, and virtualization makes it really easy.

Some time ago, the early Killer NICs basically included an embedded Linux system that could provide various network services,  I have been using Windows 8 and the Client Hyper-V since Windows 8 was released, and it has the ability to create a similar configuration through Virtual Machines.

In Hyper-V there are three different types of virtual network switches, the first is External, which bridges the Hardware network card with any virtual machines on the switch, it also provides the option to create a virtual link on the Host so that it can still connect to the external network.

The second is Internal, which provides both the virtual machines and the host with links to the switch, but does not connect to the external network.

The last is a private switch which only connects the virtual machines.

All of these switches work more or less like physical switches, and the idea here is to create a Virtual Machine to bridge the Host, on an Internal Switch, to the rest of the network on an External Switch.  As the traffic passes through this virtual machine, it can be analyzed, processed, or otherwise managed.

For my experiment I used FreeBSD, in particular the FreeBSD 10 stable amd64 snapshot for Hyper-V found in the appropriate section here: ftp://ftp.freebsd.org/pub/FreeBSD/snapshots/VM-IMAGES/ . I chose FreeBSD because of the reputation for security, and high performance networking, along with the ipfw built into the kernel.

I created a virtual External switch attached to my hardware network adapter, without connecting the host to it.  I then created an internal network adapter with a host connection.  I attached both of these switches to the FreeBSD virtual machine.  In the Hyper-V advanced settings for these network adapters, the “Enable MAC Address Spoofing” must be enabled.

In FreeBSD’s rc.conf file, I used the following to bridge the network adapters, and enable ipfw.

 cloned_interfaced="bridge0"
 ifconfig_bridge0="addm hn0 addm hn1 SYNCDHCP"
 ifconfig_hn0="up"
 ifconfig_hn1="up"
 firewall_enable="YES"
 firewall_script="/etc/ipfw.rules"

You do not have to use the SYNCDHCP option, and by doing so you will end up with a FreeBSD machine with no Layer 3 network connection of it’s own, but can still be configured through the Hyper-V manager.  You can install and use a variety of other network management, intrusion detection, packet filtering, packet capturing, or packet modification tools you like.  Other software such as bind or squid could be run on the virtual machine as well to provide things like Ad blocking.  A firewall configured this way is completely transparent to the Windows operating system.

Do keep in mind that this will not protect you from anyone who has administrative privileges on the Host Operating System, as with those privileges they can simply configure the External network switch in Hyper-V to include the Host operating system, and bypass the firewall.

Leave a Reply

Your email address will not be published. Required fields are marked *