PDA

View Full Version : Parallels, How do I stop it accessing the internet?



muddie@mac.com
14th November 2007, 09:51 AM
We have a few programs in the office that are windows only so we have to have parallels installed on our macs (there are a few real PC's but not many).

My problem is that our receptionists mac is constantly getting AD/SPYware etc.
I have told her a million times not to access anything internet related from Parallels like Internet Explorer, MSN etc and she swears black and blue that she doesn't. I have tried to uninstall them from Windows but it won't let me of course.

So here is my question: IS there any way I can completely block all internet communications from Parallels but still allow it to have local network communication. (The PC programs in question require connection to our server so I cant block all network communication.)
This may be a windows setting somewhere but I have no idea.

BTW: Just incase it's relevant I'm running XP SP2 and the parallels version is 3188 (all completely legit copies)
Thank you all.

x0nt
14th November 2007, 09:57 AM
There are a many ways this can be done.

One example:

You only want her accessing the company server?
Put the company server's ip address in the hosts file to direct all requests to that address.


Another:
Install a firewall and deny all traffic except to the certain ip or ip range.

decryption
14th November 2007, 10:03 AM
Install Little Snitch (http://www.obdev.at/products/littlesnitch/index.html) - it can block internet access on an application level, so just block Parallels from within Little Snitch

purana
14th November 2007, 10:05 AM
Doesn't Parallels allow 3 different network interfaces to be configured.. I know Fusion does (Bridged, NAT and Host Only).

coljac
14th November 2007, 10:37 AM
Installing a firewall might be a good idea.

A quick fix I would do is simply disable dns on the parallels host - configure the networking to use 127.0.0.1 as the DNS server. She's unlikely to get malware if she can't surf the web.

Edit: Even better, configure your router to deny packets from the Paralles host's IP. Most routers can do this.

Failing that, configure the default gateway in parallels to be bogus using the network settings or route. That way, any packets destined for outside the network will not know where to go:

http://myskitch.com/coljac/dock-20071114-114326.jpg

muddie@mac.com
14th November 2007, 10:53 AM
Install Little Snitch (http://www.obdev.at/products/littlesnitch/index.html) - it can block internet access on an application level, so just block Parallels from within Little Snitch

I tried this with the latest version of Little snitch. I set up a rule that denied any network communication from Parallels and it did nothing at all.
I think that because it shares a network connection it doesn't see the traffic as coming from Parallels.
How would I catch it otherwise? Little snitch is not flagging any communications at all when I access anything through Parallels.

muddie@mac.com
14th November 2007, 10:58 AM
There are a many ways this can be done.

One example:

You only want her accessing the company server?
Put the company server's ip address in the hosts file to direct all requests to that address.


Another:
Install a firewall and deny all traffic except to the certain ip or ip range.

Any suggestions for firewall software?

muddie@mac.com
14th November 2007, 11:00 AM
Installing a firewall might be a good idea.

A quick fix I would do is simply disable dns on the parallels host - configure the networking to use 127.0.0.1 as the DNS server. She's unlikely to get malware if she can't surf the web.

Edit: Even better, configure your router to deny packets from the Paralles host's IP. Most routers can do this.

Failing that, configure the default gateway in parallels to be bogus using the network settings or route. That way, any packets destined for outside the network will not know where to go:


I think Parallels shares an IP address with the Mac which would stop all internet access from there as well. I will explore using a separate IP for Parallels.


Thank you all for your suggestions to date. I appreciate all comments.

coljac
14th November 2007, 11:12 AM
I think Parallels shares an IP address with the Mac which would stop all internet access from there as well. I will explore using a separate IP for Parallels.

You need to set up the VM for bridged networking instead of shared networking. Then it will have its own IP and appear like any other host on the LAN. At this point IP filtering or just putting in a null default gateway will do the trick.

mab
14th November 2007, 11:55 AM
Set the VM with a static IP address and then block that IP at the border firewall/router.

Currawong
14th November 2007, 01:56 PM
Set up the VM with a static IP but don't put in any gateway address. Then it can't access the internet as there's no route.

Or, in the VM settings, give it no network interface.

purana
14th November 2007, 02:02 PM
Or, in the VM settings, give it no network interface.

OP states it still needs to access some internal network stuff, so it will require an interface in any case to do that.

muddie@mac.com
14th November 2007, 04:12 PM
Thanks Everyone!
I have blocked all outbound communication on our router for the IP of the Parallels install (which is bridged for a unique IP) and it works well.

I now have another question if you don't mind.
Another one of our Parallels installs had a cow yesterday and now will not boot at all. The only problem is that the installer will not uninstall (it says there is no current installation) nor re install. (The installer just hangs there for hours doing nothing) I know the install disk is fine as it works on other computers. I did try downloading the latest Parallels beta to see if that would install, but it does the same thing, hangs.

I have opened package contents on the installer and un Gzipped the packages inside to see what it installs and where and manually removed all traces of the program but it has made no difference at all.

Also as a side note I restored parallels from a Timemachine back up and it still would not start up. (Gee thanks for that)