VMware

VMware Workstation 5.5

Features | Documentation | Knowledge Base | Discussion Forums

previous Prev   Contents   Last   Next next

Avoiding IP Packet Leakage in a Host-Only Network

By design, each host-only network should be confined to the host machine on which it is set up. That is, no packets sent by virtual machines on this network should leak out to a physical network attached to the host. Packet leakage can occur only if a machine actively forwards packets. It is possible for the host machine or any virtual machine running on the host-only network to be configured in a way that permits packet leakage.

Windows Hosts

Systems using server versions of Windows 2000 are capable of forwarding IP packets that are not addressed to them. By default, however, these systems come with IP packet forwarding disabled. IP forwarding is not an issue on Windows 2000 Professional, Windows XP Professional or Windows XP Home Edition hosts.

If you find packets leaking out of a host-only network on a Windows 2000 host computer, check to see if forwarding has been enabled on the host machine. If it is enabled, disable it.

On a Windows 2000 or Windows Server 2003 host, go to Start > Programs > Administrative Tools > Routing and Remote Access. An icon on the left is labeled with the host name. If a green dot appears over the icon, IP forwarding is turned on. To turn it off, right-click the icon and disable Routing and Remote Access. A red dot appears, indicating that IP forwarding is disabled.

Windows 2000 Professional Users: The Windows 2000 Administration Tools are not installed on a Windows 2000 Professional system. However, you can install these tools from a Windows 2000 Server or Windows 2000 Advanced Server CD-ROM.

To install Windows 2000 Administration Tools on a local computer:

1. Open the i386 folder on the applicable Windows 2000 Server disc.

2. Double-click the adminpak.msi file. Follow the instructions that appear in the Windows 2000 Administration Tools Setup wizard.

3. After Windows 2000 Administration Tools are installed, you can access most of the server administrative tools by choosing Start > Programs > Administrative Tools.

Linux Hosts

If you find packets leaking out of a host-only network on a Linux host computer, check to see if forwarding has mistakenly been enabled on the host machine. If it is enabled, disable it.

For many Linux systems, disable forwarding by writing a 0 (zero) to the special file
/proc/sys/net/ipv4/ip_forward. As root, enter this command:

echo 0 > /proc/sys/net/ipv4/ip_forward

Other Linux systems have a system configuration option that you can set. The method depends on your Linux distribution. You may use a control panel, specify a setting at the time you compile your kernel, or possibly enter a specification when you boot your system. Consult your operating system documentation for details on the method to use with your particular distribution.

Using Filtering

If the host computer has multiple network adapters, it may be intentionally configured to do IP forwarding. If that is the case, you do not want to disable forwarding. In that case, to avoid packet leakage you must enable a packet filtering facility and specify that packets from the host-only network should not be sent outside the host computer. Consult your operating system documentation for details on how to configure packet filtering.

Leaks from a Virtual Machine

Virtual machines may leak packets, as well. For example, if you use Dial-Up Networking support in a virtual machine and packet forwarding is enabled, host-only network traffic may leak out through the dial-up connection.

To prevent the leakage, be sure packet forwarding is disabled in your guest operating system.

previous Prev   Contents   Last   Next next