Enhancement request: new network mode - Sandbox -> doable without support in VirtualBox

[scottgus1bug]

(This request was posted on the user forum here: ​https://forums.virtualbox.org/viewtopic.php?f=9&t=51729 PerryG suggested I post in Bugtracker, too.)

I propose a new network mode, along with Bridged, NAT, Internal, etc., which sandboxes a guest so it can get internet access through the virtual NIC but no other network access on the host LAN.

As of version 4.2.16, a guest on NAT network settings, in addition to getting internet access, can also access other host network resources in other IP address ranges besides the range NAT provides. My test guest had a 10.0.2.15 IP address, and I could ping and open shared folders on my 192.168.0.### physical LAN the host is connected to. I understand this is expected behavior for NAT.

However, I've read of some folks on the forum wishing to use guests as sandboxes, keeping internet access only on a guest or for testing or isolating viruses. Since the guest can access the host's LAN at least by IP address, these users aren't as secure as they think they are. Some other users and I (​https://forums.virtualbox.org/viewtopic.php?f=9&t=61005&p=284332) wish to have internet access to a guest with remote-in capabilities, which guests won't have any access to host LAN services. There are no built-in Virtualbox network settings that allow internet-access-only network connections for a guest.

Such a setup is apparently possible by routing the guest through a pfsense guest with various filters in place (​https://forums.virtualbox.org/viewtopic.php?f=6&t=52103). Adding another guest would add more complexity to a situation that would be very easy if all one had to do was choose a different network setup in Virtualbox. Since Virtualbox already offers such unique arrangements as linked clones, storage bandwidth control, and memory ballooning, far beyond just virtual hardware, sandboxing a guest would enhance Virtualbox even more.

One could still network such sandboxed guests together in their own mini-LAN with another network card set to internal network.

[Klaus Espenlaub]

This needs to be better defined before it's possible to tell how much effort it would be. Right now it's quite vague.

As you said, NAT allows the guest to reach anything the host can reach, and this is exactly as designed. It's sloppy to call this "internet access", but this term is more meaningful for Joe User than the exact definition.

The question is what your new networking mode (or maybe a new config option for NAT networking) would exactly remove. The host only? The LAN in which the host lives? The big corporate network which covers some 50 IP ranges of varying widths, from /8 over /16 to /24 or worse?

[scottgus1bug]

Greetings, Klaus! You raise an interesting point about exactly what sandbox mode (or whatever it gets called) would allow and block. Unfortunately I don't know much about networking, but what I'm hoping to achieve with this ER would be the same as if:

1. a user had two internet connections (say a regular dsl and a hotspot from a smartphone)
2. the host is connected to a LAN, router, modem, and the dsl. the guest has no network card in its settings (so no network access through the host at all)
3. attach a USB network dongle to the host and allow the guest to capture it through the USB settings. (now the guest has a separate channel to another network than the host is connecte to.)
4. connect the USB dongle's connnection to the second internet connection / hotspot.

In such a case the guest would have its own channel to the internet separate of the host LAN, and not be able to access anything on the host's LAN.

Another example would be if such a user had a regular LAN and PCs, then attched a laptop to the smartphone hotspot. Nothing on the LAN would be accessible by the laptop.

Sandbox mode would achieve the same thing without needing to buy another internet connection or a USB network dongle. The intent would be to allow the guest to initiate and receive any traffic to the internet, email, vpn's, LogMeIn, Ultravnc, Windows and Linux Updates, etc. through the host's LAN, but have no access to anything else on the host's LAN though that network connection - no pings, no shared folders & printers, no network discovery of other computers on the LAN, etc. The guest would see the host's internet connection and nothing else. All other traffic would be blocked on any other IP address except for what would be needed to get to the host internet connection.

I don't know if such a thing is possible or not...

[Senthil Nathan]

Klaus, thanks so much for considering this request. I can think of 3 different ways to implement, and I am sure there may be many more.

(1) scottgus1bug's suggestion to create a New Network Mode

(2) Create an option in the existing NAT mode wherein you can specific something like --enable-local-lan off. Suggestion here is to simply Turn Off the Local LAN IP Range. This can be automatic (as above) or defined range such as --disable-network 192.168.0.0/24.

(3) Create a firewall layer / definition for the Network adapter. This is probably a more elegant solution but my guess would be this will require much effort. The workaround suggestion on the forum was to use pfSense, and I am thinking we can implement pfSense's firewall feature natively without having to rewrite the firewall. Again, this may not be simple and it just be easy to do (1) or (2).

[Michael Thayer]

Something on these lines?

​http://superuser.com/questions/691431/how-do-i-isolate-a-windows-virtual-machine-in-virtualbox-running-in-ubuntu/691461#691461

[scottgus1bug]

Very interesting, Michael! I'll have to see if there's a Windows-host equivalent to Linux's "iptables" and IP forwarding, and what "eth0" would be on such a host. But it sounds like such things are certainly possible.

Are such things like sandbox mode and/or Smokey's Dad's lan-IP-range-blocking filters feasible to include in Virtualbox?

[Michael Thayer]

It would certainly be theoretically possible to build something like this into VirtualBox, but every additional feature we support takes away time from others, and we risk ending up having lots of features half-working. So at the moment I don't think we are going to implement this, as it is only useful for a few people and can be done (Windows also supports IP routing so it should be doable there too) without built-in support. Sorry about that!

[scottgus1bug]

No problem, Michael, Klaus & other developers! Thanks for taking a look. I hear through Googling that "netsh advfirewall" is supposed to be the way in Windows to do iptables and forwarding, so I'll look into that. Thanks very much for keeping this excellent program going!