Pac Control Alternative OS & Deployments

Can I run PAC Control on any other operating system, or on a docker container. I would really like to not have to have a windows environment on the production side of the network.

Here is metaphorical food for thought.

I have seen PAC Control running in linux under WINE, but that was many moons ago. By running, I mean PAC Control did start but had limited usability in WINE. Also, please understand, Opto 22 does not support this non-standard use of PAC Project, and you’d be going rogue to use PAC Control in this way.

You can see compatibility information documented on WINE’s website. There’s a grading system where a program may not run at all, may start and that’s it, may run without crashers most of the time, or may have a gold or platinum compatibility according to polled users. I haven’t checked WINE’s compatibility database for PAC Control in some time, but I didn’t find a record back in the day.

Some years later I heard news of a company called Valve funding open source technology to add linux support for win64/direct3d video games. I think Valve invested human resources into both the WINE project and proton if I recall correctly. So you might ask, how can proton help run PAC Project under WINE on linux? Well, I don’t know that it does, but if the issue I saw was related to rendering, maybe there’s hope for running PAC Control in linux.

There are security concerns running WINE. I wish I could post the complete wikipedia article here, but consider this quote, “Because of Wine’s ability to run Windows binary code, concerns have been raised over native Windows viruses and malware affecting Unix-like operating systems,” and check out the article yourself, Wine (software) - Wikipedia.

You can run WINE in a container. A chroot jail may be another option. Hypothetically, you may run WINE on virtualized linux or instead run native PAC Control on virtualized Windows, and you can set up a read-only virtual disk that automatically reverts upon virtually powering down the VM. Hypothetically, you may run PAC Control in WINE on a live USB that only resides in memory.

All of those increase the security of the workstation, but you should look into network security tools to quarantine the workstation even further (even if you keep your Windows box!). The linux kernel has overhauled its kernel-level firewall. The legacy linux firewall was called iptables and ip6tables. Now there is nft. I’m not aware of any problems with nft, but I do know of a big plus provided by nft, layer 2 firewalling!! Layer 2 firewalls can block arp attack vectors. The Windows firewall requires no authorization for modifying rules, so software can poke holes in the Windows firewall. I never liked that.

As for docker… that’s a step beyond getting PAC Control working with WINE, but I imagine so.

EDIT: I recall WINE can be configured and tweaked for particular software. That also may open up a door for you.

EDIT 2: You should probably expect WINE-layer bugs, so I wouldn’t prod this technology stack with a ten foot pole…

EDIT 3: The modern linux firewall is called nftables. I was calling nftables, “nft,” because that’s one of the userland commands, so here’s an edit for precision.

3 Likes

Plot twist: Windows security may dramatically improve in future versions, propelled by advancements in AI. Windows developers may be able to overhaul windows more easily and more quickly with vibe coding. There may be breakthroughs in security science with AI insights. In addition there are/will be AI users keeping the red team occupied at the speed of AI.

In the meantime you can do what I do in hyper vigilance.

  1. I run Windows in VirtualBox and set up a read only virtual disk.

  2. I insulate and disconnect Windows from the ip internet. Be prepared when disconnecting the Windows workstation from the internet and check in with all other users beforehand. With physical access to the Windows PC, I open the “properties” dialogue of the internet facing network adapters. I remove the gateway ip address (direct internet connection is now lost). Then I open windows console as an administrator and add static routes to the internal network using the route add command (these can be subnet routes).

  3. In series with the windows firewall I install one or two external firewalls. I have used pfsense. Openbsd with the default sets and no third party software is an option. Minimal Linux with nftables is the only open source layer 2 firewall on my radar. Note: I can’t recall the topology of when I had two external firewalls, but a failover firewall is critical in unusual situations like a crashed process in firewall layer 1 (I’m not referring to the OSI model here).

  1. You should access the bios/uefi to power down blutooth and other peripherals you won’t use.

EDIT 1:

  1. You should filter internal-network initiated, outward bound packets at the external firewall(s) except for the traffic required for intended use. This is not effective with on-device firewalls (the Windows firewall in your case).

  2. If you can filter nasty pings, that is important but super tricky. Again, let pass intended pings.

EDIT 2:

  1. You can disable ip6 if you don’t need ip6.
1 Like

All, why are we begging to get the best product Opto22 makes (Pac Control) to run in a stable environment?

Consider that Opto22 has already ported the runtime to Linux…so why would they not port the configuration to Linux??? If Pac Control Config was ported, I would take up using Linux…what could be better for the customers and the system?

Yes, I get the security aspects with respect to Epic, but the fact is, since the configurator is still running in Windows, what is so secure about that?

Maybe there are issues here, but why not build a distro for Opto users to run Pac Control config, Soft Pac, and Pac Display? Then Opto would have total security over the whole operation, and then sell the distros…

I’d be up for porting PAC Project to POSIX ^_-, but I have a better idea, a new suite of software called EPAC, Extended PAC, written from scratch, shiny, and backward compatible.

Another idea I’ve been kicking around is a python or javascript to OptoScript transpiler. Then you could run open source on your SNAP PAC.