chaining proxyvms
44 views
Skip to first unread message
john....@fake-box.com
Apr 24, 2016, 3:13:08 PM4/24/16
to qubes...@googlegroups.com
hi.
i was playing around with proxyvms and tried following:
i have a proxyvm A and set its firewall to an empty white-list. (and atting network-manager to service)
(a) if i set A's netvm to a whonix-gw and connect a appvm through it (app->A->tor->fw->net), i can connect to the internet (but everything should be blocked by the firewall-settings)
(b) if i set A's netvm to the firewallvm and connect a appvm through it (app->A->fw->net), i can't connect to the internet (as expected)
(c) if i chain two whonix-gw (app->tot->tor->fw->net) and start a download it seems the traffic is routed through both, as expected. (arm shows the same traffic for both if i start a download)
1) is (a) an error? (i think so because it allows blocked connections)
2) is there a working way to use a proxyvm behind a different proxyvm? (e.g. app->vpn->tor->fw->net)
-john
i was playing around with proxyvms and tried following:
i have a proxyvm A and set its firewall to an empty white-list. (and atting network-manager to service)
(a) if i set A's netvm to a whonix-gw and connect a appvm through it (app->A->tor->fw->net), i can connect to the internet (but everything should be blocked by the firewall-settings)
(b) if i set A's netvm to the firewallvm and connect a appvm through it (app->A->fw->net), i can't connect to the internet (as expected)
(c) if i chain two whonix-gw (app->tot->tor->fw->net) and start a download it seems the traffic is routed through both, as expected. (arm shows the same traffic for both if i start a download)
1) is (a) an error? (i think so because it allows blocked connections)
2) is there a working way to use a proxyvm behind a different proxyvm? (e.g. app->vpn->tor->fw->net)
-john
Marek Marczykowski-Górecki
Apr 24, 2016, 4:21:24 PM4/24/16
to john....@fake-box.com, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sun, Apr 24, 2016 at 09:13:06PM +0200, john....@fake-box.com wrote:
> hi.
> i was playing around with proxyvms and tried following:
> i have a proxyvm A and set its firewall to an empty white-list. (and atting
> network-manager to service)
> (a) if i set A's netvm to a whonix-gw and connect a appvm through it (app->A->
> tor->fw->net), i can connect to the internet (but everything should be blocked
> by the firewall-settings)
> (b) if i set A's netvm to the firewallvm and connect a appvm through it (app->
> A->fw->net), i can't connect to the internet (as expected)
> (c) if i chain two whonix-gw (app->tot->tor->fw->net) and start a download it
> seems the traffic is routed through both, as expected. (arm shows the same
> traffic for both if i start a download)
>
> 1) is (a) an error? (i think so because it allows blocked connections)
Firewall is enforced by a ProxyVM to which a VM is connected. In case of
a), firewall settings of A would be enforced by whonix-gw. But whonix-gw
doesn't support Qubes firewall settings.
You can achieve what you want by setting those firewall rules on appvm
itself - it will be correctly enforced by ProxyVM A.
> 2) is there a working way to use a proxyvm behind a different proxyvm? (e.g.
> app->vpn->tor->fw->net)
Yes, see above.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXHSq7AAoJENuP0xzK19csjoMH/0bEnZ66K42W1N7JPrNAEfI1
VgZk6w88I1uemWyMftZuk08IaxA84IRV/aIxQQFLLBxUv2ECz9q8o6a1DRUY4FZ9
2akER7GPbsEMKCVY1n0s5OuZV8K+0L4xxxcgEW26tMnEUk/bkiRiAGk04EIkLCdp
KGDB+eX9pS9vWvE4TyRpraMz2Pkqs6KW5M2FqW2DWHLy6D1idCaFmo9ibNPVww6e
Y9cxmizE0b6xjwL0jkvfIoCknlG4yGijZQIsHCOdx1v6AL8wh+RMD8WFR4y35JLS
6QSsUQx8hK5yuSlSnKhMJ5KozQQNxTdudz9MjSmkuB4Yv1NWXzgwcssetnDCwq8=
=nsIn
-----END PGP SIGNATURE-----
Hash: SHA256
On Sun, Apr 24, 2016 at 09:13:06PM +0200, john....@fake-box.com wrote:
> hi.
> i was playing around with proxyvms and tried following:
> i have a proxyvm A and set its firewall to an empty white-list. (and atting
> network-manager to service)
> (a) if i set A's netvm to a whonix-gw and connect a appvm through it (app->A->
> tor->fw->net), i can connect to the internet (but everything should be blocked
> by the firewall-settings)
> (b) if i set A's netvm to the firewallvm and connect a appvm through it (app->
> A->fw->net), i can't connect to the internet (as expected)
> (c) if i chain two whonix-gw (app->tot->tor->fw->net) and start a download it
> seems the traffic is routed through both, as expected. (arm shows the same
> traffic for both if i start a download)
>
> 1) is (a) an error? (i think so because it allows blocked connections)
a), firewall settings of A would be enforced by whonix-gw. But whonix-gw
doesn't support Qubes firewall settings.
You can achieve what you want by setting those firewall rules on appvm
itself - it will be correctly enforced by ProxyVM A.
> 2) is there a working way to use a proxyvm behind a different proxyvm? (e.g.
> app->vpn->tor->fw->net)
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXHSq7AAoJENuP0xzK19csjoMH/0bEnZ66K42W1N7JPrNAEfI1
VgZk6w88I1uemWyMftZuk08IaxA84IRV/aIxQQFLLBxUv2ECz9q8o6a1DRUY4FZ9
2akER7GPbsEMKCVY1n0s5OuZV8K+0L4xxxcgEW26tMnEUk/bkiRiAGk04EIkLCdp
KGDB+eX9pS9vWvE4TyRpraMz2Pkqs6KW5M2FqW2DWHLy6D1idCaFmo9ibNPVww6e
Y9cxmizE0b6xjwL0jkvfIoCknlG4yGijZQIsHCOdx1v6AL8wh+RMD8WFR4y35JLS
6QSsUQx8hK5yuSlSnKhMJ5KozQQNxTdudz9MjSmkuB4Yv1NWXzgwcssetnDCwq8=
=nsIn
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages