Looking for details about firewall rule setting via Qubes VM manager
153 views
Skip to first unread message
David Shleifman
Mar 29, 2017, 9:00:56 PM3/29/17
to qubes...@googlegroups.com
Hi,
I am looking for clarifications pertaining to setting firewall rules via Qubes VM manager GUI.
A validating caching name resolver is running in one of the appVMs (called "sys-dns"):
_ sys-net VM <==> sys-firewall VM
_ |
_ |<==> sys-dns (appVM)
_ |<==> AppVM-1
_ |<==> AppVM-2
_ . . .
_ |<==> AppVM-N
Each AppVM has "Allow DNS queries" checkbox accessible via "Qubes VM manager : VM : Edit VM Firewall rules" menu. When I put a check mark into this checkbox, the system updates the iptables in the sys-firewall VM, so that packets with destination port 53 are forwarded to sys-firewall eth0 interface (IP=10.137.1.8). So far, so good.
It appears, that the more optimal way is to allow sys-dns name resolver to respond to such DNS queries.
Questions
---------
1) How to tune Qubes OS so that putting a check mark into the said checkbox causes the packets with destination port 53 to be forwarded to the sys-dns VM (instead of the
sys-firewall eth0 interface)?
2) Do the following checkboxes
_ a) "Allow network access except ..."
_ b) "Allow ICMP traffic"
_ c) "Allow DNS queries"
overlap? Meaning that if a) is the only enabled one out of 3, then both "ICMP traffic" and "DNS queries" are allowed.
3) What are the typical use cases for disabling "ICMP traffic"? When it is safe to disable "ICMP traffic" for a specific AppVM?
Thank you,
- David
I am looking for clarifications pertaining to setting firewall rules via Qubes VM manager GUI.
A validating caching name resolver is running in one of the appVMs (called "sys-dns"):
_ sys-net VM <==> sys-firewall VM
_ |
_ |<==> sys-dns (appVM)
_ |<==> AppVM-1
_ |<==> AppVM-2
_ . . .
_ |<==> AppVM-N
Each AppVM has "Allow DNS queries" checkbox accessible via "Qubes VM manager : VM : Edit VM Firewall rules" menu. When I put a check mark into this checkbox, the system updates the iptables in the sys-firewall VM, so that packets with destination port 53 are forwarded to sys-firewall eth0 interface (IP=10.137.1.8). So far, so good.
It appears, that the more optimal way is to allow sys-dns name resolver to respond to such DNS queries.
Questions
---------
1) How to tune Qubes OS so that putting a check mark into the said checkbox causes the packets with destination port 53 to be forwarded to the sys-dns VM (instead of the
sys-firewall eth0 interface)?
2) Do the following checkboxes
_ a) "Allow network access except ..."
_ b) "Allow ICMP traffic"
_ c) "Allow DNS queries"
overlap? Meaning that if a) is the only enabled one out of 3, then both "ICMP traffic" and "DNS queries" are allowed.
3) What are the typical use cases for disabling "ICMP traffic"? When it is safe to disable "ICMP traffic" for a specific AppVM?
Thank you,
- David
Unman
Mar 30, 2017, 8:16:38 PM3/30/17
to David Shleifman, qubes...@googlegroups.com
On Wed, Mar 29, 2017 at 07:12:43PM +0000, 'David Shleifman' via qubes-devel wrote:
> Hi,
>
>
> I am looking for clarifications pertaining to setting firewall rules via Qubes VM manager GUI.
>
> A validating caching name resolver is running in one of the appVMs (called "sys-dns"):
>
> _ sys-net VM <==> sys-firewall VM
> _ |
> _ |<==> sys-dns (appVM)
> _ |<==> AppVM-1
> _ |<==> AppVM-2
> _ . . .
> _ |<==> AppVM-N
>
>
> Each AppVM has "Allow DNS queries" checkbox accessible via "Qubes VM manager : VM : Edit VM Firewall rules" menu. When I put a check mark into this checkbox, the system updates the iptables in the sys-firewall VM, so that packets with destination port 53 are forwarded to sys-firewall eth0 interface (IP=10.137.1.8). So far, so good.
No, this isnt quite right - packets are allowed to the vif interface of
> Hi,
>
>
> I am looking for clarifications pertaining to setting firewall rules via Qubes VM manager GUI.
>
> A validating caching name resolver is running in one of the appVMs (called "sys-dns"):
>
> _ sys-net VM <==> sys-firewall VM
> _ |
> _ |<==> sys-dns (appVM)
> _ |<==> AppVM-1
> _ |<==> AppVM-2
> _ . . .
> _ |<==> AppVM-N
>
>
> Each AppVM has "Allow DNS queries" checkbox accessible via "Qubes VM manager : VM : Edit VM Firewall rules" menu. When I put a check mark into this checkbox, the system updates the iptables in the sys-firewall VM, so that packets with destination port 53 are forwarded to sys-firewall eth0 interface (IP=10.137.1.8). So far, so good.
sys-net.
Also, if you look in the NAT table, you'll see that DNS traffic is
subject to DNAT to that interface.
>
> It appears, that the more optimal way is to allow sys-dns name resolver to respond to such DNS queries.
>
>
> Questions
> ---------
>
> 1) How to tune Qubes OS so that putting a check mark into the said checkbox causes the packets with destination port 53 to be forwarded to the sys-dns VM (instead of the
> sys-firewall eth0 interface)?
>
sys-dns is connected.
If it's connected to sys-net, then the answer is simple:
You will have to enable interVM traffic - this is explained in the docs:
allow DNS traffic between sys-firewall and sys-dns..
As to this question, the easiest thing to do would be to change the
DNAT rules on sys-firewall to push DNS traffic to sys-dns. That way the
checkbox continues to function as expected, but the DNAT ensures that
the traffic goes to sys-dns.
If you want to do this you will have to make changes in rc.local and
qubes-user-firewall-script in /rw/config - again, well covered in the
docs. (www.qubes-os.org/doc/firewall)
> 2) Do the following checkboxes
> _ a) "Allow network access except ..."
> _ b) "Allow ICMP traffic"
> _ c) "Allow DNS queries"
> overlap? Meaning that if a) is the only enabled one out of 3, then both "ICMP traffic" and "DNS queries" are allowed.
>
8082(proxy port), which is removed if you select THAT checkbox.
The other checkboxes add ALLOW rules which are redundant if you already
have (a) selected.
>
> 3) What are the typical use cases for disabling "ICMP traffic"? When it is safe to disable "ICMP traffic" for a specific AppVM?
network. Without it, network traffic will be less efficient. That's a
tradeoff you may choose to make.
>
> Thank you,
> - David
unman
David Shleifman
Mar 31, 2017, 2:02:10 PM3/31/17
to qubes...@googlegroups.com, Unman
On March 30, 2017 8:16 PM Unman wrote:
> On Wed, Mar 29, 2017 at 07:12:43PM +0000, 'David Shleifman' via qubes-devel wrote:
>> Hi,
>>
>> I am looking for clarifications pertaining to setting firewall rules via Qubes VM manager GUI.
>>
>> A validating caching name resolver is running in one of the appVMs (called "sys-dns")
> On Wed, Mar 29, 2017 at 07:12:43PM +0000, 'David Shleifman' via qubes-devel wrote:
>> Hi,
>>
>> I am looking for clarifications pertaining to setting firewall rules via Qubes VM manager GUI.
>>
>> A validating caching name resolver is running in one of the appVMs (called "sys-dns")
>> Each AppVM has "Allow DNS queries" checkbox accessible via "Qubes VM manager : VM : Edit VM
>> Firewall rules" menu. When I put a check mark into this checkbox, the system updates the iptables
>> in the sys-firewall VM, so that packets with destination port 53 are forwarded to sys-firewall
>> eth0 interface (IP=10.137.1.8). So far, so good.
> No, this isnt quite right - packets are allowed to the vif interface of sys-net.
My original description is consistent with yours. In particular, the interface has two sides:
>> Firewall rules" menu. When I put a check mark into this checkbox, the system updates the iptables
>> in the sys-firewall VM, so that packets with destination port 53 are forwarded to sys-firewall
>> eth0 interface (IP=10.137.1.8). So far, so good.
> No, this isnt quite right - packets are allowed to the vif interface of sys-net.
- one side appears in sys-net VM as vif
- the other side appears in sys-firewall VM as eth0 (IP=10.137.1.8)
> Also, if you look in the NAT table, you'll see that DNS traffic is> subject to DNAT to that interface.
>>
>> It appears, that the more optimal way is to allow sys-dns name resolver to respond
>> to such DNS queries.
>>
> sys-dns is connected.
> If it's connected to sys-net, then the answer is simple:
> You will have to enable interVM traffic - this is explained in the docs:
> allow DNS traffic between sys-firewall and sys-dns.
Proposal A
> If it's connected to sys-net, then the answer is simple:
> You will have to enable interVM traffic - this is explained in the docs:
> allow DNS traffic between sys-firewall and sys-dns.
==========
The documentation appears to be good enough to follow. As for the interVMtraffic, do you mean networking between two qubes, i.e.
https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes?
Here is a diagram for your proposal:
_ sys-net VM <====> sys-firewall VM
_ | |
_ |<==> sys-dns (appVM) |<==> AppVM-1
_ |<==> AppVM-2
_ . . .
_ |<==> AppVM-N
One of the documented steps is to set the rule in sys-net:
_ . . .
_ |<==> AppVM-N
_ sudo iptables -I FORWARD 2 -s <IP address of sys-firewall> -d <IP address of sys-dns> -j ACCEPT
I guess,
_ <IP address of sys-firewall>
should be replaced by
_ <IP addresses of AppVMs connected to sys_firewall>
which yields "10.137.2.0/24". It looks to me that such proposal should work seamlessly.
Do these details match more or less with your proposal?
Proposal B
==========
I am afraid that if sys-net gets compromised, then its iptables may be
altered allowing the DNS queries (originated in AppVMs) to bypass the
validating caching name resolver running in sys-dns. In this case,
the responces will come back to AppVMs without being validated. That
represents certain risk.
To reduce this risk, I connected sys-dns to sys-firewall. Here is the
diagram (copied from my original post):
_ sys-net VM <==> sys-firewall VM
_ |
_ |<==> sys-dns (appVM)
_ |<==> AppVM-1
_ |<==> AppVM-2
_ . . .
_ |<==> AppVM-N
>> Questions
>> ---------
>> 1) How to tune Qubes OS so that putting a check mark into the said
>> checkbox causes the packets with destination port 53 to be forwarded
>> to the sys-dns VM (instead of the sys-firewall eth0 interface)?
> As to this question, the easiest thing to do would be to change the
> DNAT rules on sys-firewall to push DNS traffic to sys-dns. That way the
> checkbox continues to function as expected, but the DNAT ensures that
> the traffic goes to sys-dns.
Do you have in mind "proposal A" or "proposal B" or both?
> DNAT rules on sys-firewall to push DNS traffic to sys-dns. That way the
> checkbox continues to function as expected, but the DNAT ensures that
> the traffic goes to sys-dns.
> If you want to do this you will have to make changes in rc.local and
> qubes-user-firewall-script in /rw/config - again, well covered in the
> docs. (www.qubes-os.org/doc/firewall)
Currently, there are two DNAT rules in PR-QBS chain which instruct to
replace destination address 10.137.2.1 by 10.137.1.1 for packets
destined to the port 53.
I will add a script to qubes-user-firewall-script which will set the
replacement address in these two rules to the IP of sys-dns (instead of
10.137.1.1).
Thank you for pointing me to the right direction.
- David
Reply all
Reply to author
Forward
0 new messages