I realize I'm not getting a lot of questions answered here lately, and I'm going to presume that this is for legitimate reasons (i.e., people don't know or are too busy to think about it), not because they seem stupid (if they do, please tell me, on the list or privately).
I run Windows as a VMWare guest on top of my CentOS host, and I generally have not used a firewall on the guest. This is partly because I only run it rarely, and it seems like a waste when it's running on a host that has its own, pretty effective firewall, but today I began to wonder - would it be a bad idea (or a complete waste) to use a firewall, like ZoneAlarm, on my Windows guest OS?
Opinions welcome.
Thanks.
mhr
On Fri, 2009-12-11 at 13:50 -0800, MHR wrote:
I realize I'm not getting a lot of questions answered here lately, and I'm going to presume that this is for legitimate reasons (i.e., people don't know or are too busy to think about it), not because they seem stupid (if they do, please tell me, on the list or privately).
I run Windows as a VMWare guest on top of my CentOS host, and I generally have not used a firewall on the guest. This is partly because I only run it rarely, and it seems like a waste when it's running on a host that has its own, pretty effective firewall, but today I began to wonder - would it be a bad idea (or a complete waste) to use a firewall, like ZoneAlarm, on my Windows guest OS?
Opinions welcome.
Disclaimer: This is just my own opinion, on a good day maybe worth $0.02 (US).
I'd say that my circumstances are pretty similar to yours in that I run the Windoze VM occasionally for non-critical uses ( most of the time ). My network is protected by a separate CentOS 5 box with Shorewall as a front-end for iptables, and I feel as secure as anyone has a right to while still having an active Internet connection. ;>
So far, my practice has been to just run with the Windoze firewall enabled, and I do that mostly to keep the rest of that miserable excuse for an OS from whining about no detectable firewall in place, rather than in any expectation that it will actually prevent something bad from happening. I also have Windoze 2000 VMs with no firewall, and as far as I know nothing bad has slid onto my network.
The bottom line is that in a VM protected by a "real" firewall, I see no particular need for another waste of system resources on an OS that wastes too much already. ;>
Thanks.
mhr _______________________________________________
On Fri, Dec 11, 2009 at 4:50 PM, MHR mhullrich@gmail.com wrote:
I realize I'm not getting a lot of questions answered here lately, and I'm going to presume that this is for legitimate reasons (i.e., people don't know or are too busy to think about it), not because they seem stupid (if they do, please tell me, on the list or privately).
I run Windows as a VMWare guest on top of my CentOS host, and I generally have not used a firewall on the guest. This is partly because I only run it rarely, and it seems like a waste when it's running on a host that has its own, pretty effective firewall, but today I began to wonder - would it be a bad idea (or a complete waste) to use a firewall, like ZoneAlarm, on my Windows guest OS?
Opinions welcome.
Thanks. mhr
This depends on how you have the guest network setup. If it's in bridged mode, then the firewall on the host does nothing to protect the guest. If you're running NAT mode, then that's sort of like a (consumer) firewall already, so should be pretty safe.
On Fri, Dec 11, 2009 at 2:07 PM, Brian Mathis brian.mathis@gmail.com wrote:
This depends on how you have the guest network setup. If it's in bridged mode, then the firewall on the host does nothing to protect the guest. If you're running NAT mode, then that's sort of like a (consumer) firewall already, so should be pretty safe.
Excellent point - I should have said: I run in NAT mode, mainly because I can use SAMBA in NAT mode but I never could get the SAMBA mounts from Win-guest to work with the CentOS host in bridged mode. Probably just my own ineptitude with SAMBA, but in NAT it works fine (with the exact same smb.conf...).
Many thanks.
mhr
On Fri, Dec 11, 2009 at 1:50 PM, MHR mhullrich@gmail.com wrote:
I realize I'm not getting a lot of questions answered here lately, and I'm going to presume that this is for legitimate reasons (i.e., people don't know or are too busy to think about it), not because they seem stupid (if they do, please tell me, on the list or privately).
I run Windows as a VMWare guest on top of my CentOS host, and I generally have not used a firewall on the guest. This is partly because I only run it rarely, and it seems like a waste when it's running on a host that has its own, pretty effective firewall, but today I began to wonder - would it be a bad idea (or a complete waste) to use a firewall, like ZoneAlarm, on my Windows guest OS?
In addition to running Microsoft's free firewall, I also run Microsoft's antivirus/malware software which is also free.
This is on a dual boot netbook - and I typically only use Windows for either for my MagicJack phone or debugging user issues.
Mhr wrote on Fri, 11 Dec 2009 13:50:27 -0800:
would it be a bad idea (or a complete waste) to use a firewall, like ZoneAlarm, on my Windows guest OS?
Yes, using ZA is a bad idea. XP has its own firewall which is enabled by default if you are patched up-to-date. Keep that on.
Kai
On Sat, Dec 12, 2009 at 4:31 AM, Kai Schaetzl maillists@conactive.com wrote:
Mhr wrote on Fri, 11 Dec 2009 13:50:27 -0800:
Yes, using ZA is a bad idea. XP has its own firewall which is enabled by default if you are patched up-to-date. Keep that on.
Now you've sparked my curiosity - how is the XP firewall any better than ZA?
Also, in regard to other answers I've seen on the list, since I'm using NAT, isn't another firewall just a waste?
Thanks.
mhr
Mhr wrote on Sat, 12 Dec 2009 12:09:17 -0800:
Now you've sparked my curiosity - how is the XP firewall any better than ZA?
ZA is not just a firewall. Googling will tell you about the problems with it.
Also, in regard to other answers I've seen on the list, since I'm using NAT, isn't another firewall just a waste?
A host firewall can still help against threats from within the network. Also, the XP firewall takes little ressources.
Kai
Kai Schaetzl wrote:
Mhr wrote on Fri, 11 Dec 2009 13:50:27 -0800:
would it be a bad idea (or a complete waste) to use a firewall, like ZoneAlarm, on my Windows guest OS?
Yes, using ZA is a bad idea. XP has its own firewall which is enabled by default if you are patched up-to-date. Keep that on.
Huh? I've *NEVER* heard great things about WinDoze firewall, and the std. from the fairly heavy duty folks I know who support WinDoze is that the std for non-commercial is ZoneAlarm.
mark
mark wrote:
Huh? I've *NEVER* heard great things about WinDoze firewall, and the std. from the fairly heavy duty folks I know who support WinDoze is that the std for non-commercial is ZoneAlarm.
I'm not sure what WinDoze is, sounds like a new sleeping aid.
Pretty much everyone I know who commercially supports Microsoft Windows users can't stand ZoneAlarm, its constant yammering about meaningless things is just annoying, and end users either end up shutting it off, or click the wrong button and then can't figure out why their programs aren't working. As of XP SP2 and later, the integral Windows Firewall works just fine. It blocks all inbound unsolicited traffic and it doesn't interfere with the software already running on your computer. Its fully configurable by group policies for domain managed sites.
But, this is -far- off topic for a CentOS list.
Huh? I've *NEVER* heard great things about WinDoze firewall...
That's only because the interface for it is far too complicated for most people to comprehend. Netsh and/or the registry.
Simply because what the gui reveals is little of the feature scope, most think it doesn't do much. It's almost like iptables in capacity (almost I said) with some additional functionality in that it can control access on a program by program basis. Pretty "great" if you ask me:)
From: mark m.roth@5-cent.us
Kai Schaetzl wrote:
Mhr wrote on Fri, 11 Dec 2009 13:50:27 -0800:
would it be a bad idea (or a complete waste) to use a firewall, like ZoneAlarm, on my Windows guest OS?
Yes, using ZA is a bad idea. XP has its own firewall which is enabled by default if you are patched up-to-date. Keep that on.
Huh? I've *NEVER* heard great things about WinDoze firewall, and the std. from the fairly heavy duty folks I know who support WinDoze is that the std for non-commercial is ZoneAlarm.
Personaly, I use ZoneAlarm 'mainly' for the outbound blocking. I like to know (and allow/disalow) when an application tries to phone home...
JD
John Doe wrote:
From: mark m.roth@5-cent.us
Kai Schaetzl wrote:
Mhr wrote on Fri, 11 Dec 2009 13:50:27 -0800:
would it be a bad idea (or a complete waste) to use a firewall, like ZoneAlarm, on my Windows guest OS?
Yes, using ZA is a bad idea. XP has its own firewall which is enabled by default if you are patched up-to-date. Keep that on.
Huh? I've *NEVER* heard great things about WinDoze firewall, and the std. from the fairly heavy duty folks I know who support WinDoze is that the std for non-commercial is ZoneAlarm.
Personaly, I use ZoneAlarm 'mainly' for the outbound blocking. I like to know (and allow/disalow) when an application tries to phone home...
JD
Personally, I have had Zone Alarm mess up it's ACL a few times and block applications in it's allow list. I normally firewall else where & use Windows Firewall for internal stuff, the Windows Firewall in Windows7 supports an ACL for inbound and outbound rules.
HTH
-
Agile Aspect -
Brian Mathis -
John Doe -
John R Pierce -
Joseph L. Casale -
Kai Schaetzl -
KJS -
mark -
MHR -
Ron Loftin