Simplify Qubes firewall forwarding in proxy vms?
39 views
Skip to first unread message
Chris Laprise
May 30, 2016, 8:08:34 PM5/30/16
to qubes...@googlegroups.com, Marek Marczykowski-Górecki
Hi Marek,
While focusing on the vpn stuff[1] I may have stumbled upon a way to
make the forwarding chain much simpler.
Replace all the specific rules for downstream vm addresses with this:
FORWARD -i vif+ -d subnet.1 -j ACCEPT
FORWARD -i vif+ -d subnet.254 -j ACCEPT
So qubes-firewall would become simpler without the need to iterate over
vm addresses associated with a proxy vm. Its probably more effective in
general to focus on interfaces where possible, instead of IPs (can't
source IP addresses be spoofed?).
What do you think?
Chris
1.
https://groups.google.com/forum/#!msg/qubes-devel/9zR_plUWRMA/Q_JbckGbAQAJ
While focusing on the vpn stuff[1] I may have stumbled upon a way to
make the forwarding chain much simpler.
Replace all the specific rules for downstream vm addresses with this:
FORWARD -i vif+ -d subnet.1 -j ACCEPT
FORWARD -i vif+ -d subnet.254 -j ACCEPT
So qubes-firewall would become simpler without the need to iterate over
vm addresses associated with a proxy vm. Its probably more effective in
general to focus on interfaces where possible, instead of IPs (can't
source IP addresses be spoofed?).
What do you think?
Chris
1.
https://groups.google.com/forum/#!msg/qubes-devel/9zR_plUWRMA/Q_JbckGbAQAJ
HW42
May 30, 2016, 10:28:37 PM5/30/16
to Chris Laprise, qubes...@googlegroups.com, Marek Marczykowski-Górecki
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Chris Laprise:
some may allow DNS and some not.
Source IP address spoofing should be prevented by the rules in the "raw"
table. (see 'iptables -vnL -t raw')
HW42
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXTPajAAoJEOSsySeKZGgW0NgP/3gxFePLI0sQqS2ybue6drbH
Z5ybSaSxJYvqCtQpycIpiSPB0UwiFD/sNNdGm6lrDacOa5y1UnXOzDMFGyQyv0RP
wpMBE1HCBxOn/YCkK/BxXB0Y9Jl20TCOs6i/kDGkvi8eSRW54W6cMUwUk6bzWSx2
PlijjN7Z4ZSjk+tkoJE8HCwgYtmigE8z+0hfk/jvkMBmvRjE+NvoQiEcj7WiavGl
yXqr2PLXf+E3JB1wL/Z6hLNBkGmOj4LS26Dj+yv+AACi5UQIP9Foi5GiOGpR44BV
ymJQeHNwWpUixSgHnj3v5pA/Zeiz+627i5N3BHCZmOsV/dxlFhgfTbYyfyZO92UH
tZawNpNmaoNuSvjU+BpZGcCty5NoMbV8f7cxRrMx7tcQJtk37eYx1MzHCYmW1ZdV
P/ou+8NpSK5DE+EZDn0kQoMuyEgs03t+7FXDQLHX48JRspDZSvSo3gSCbnconVqh
uZoYnDC2UUVlnx4azaJYRWFPaFkFdzPD6sQqOb2JzDGd8z+lRpFliSntrbRjKXUs
dp6MdY9xszlY19jxI7Sq62ymqh/fy8gHYEf1kw+oIhftey7oHpL4R1bTzI1vb6xw
iUB8zMjYSbB3CSeR2g2KjGURki8xRmmhypyz5+uDIBlhEQ5QPirNED/gTcYd0bFL
13aEAWpEHRzpxQj82N33
=77zz
-----END PGP SIGNATURE-----
Hash: SHA512
Chris Laprise:
> Hi Marek,
>
> While focusing on the vpn stuff[1] I may have stumbled upon a way to
> make the forwarding chain much simpler.
>
> Replace all the specific rules for downstream vm addresses with this:
>
> FORWARD -i vif+ -d subnet.1 -j ACCEPT
> FORWARD -i vif+ -d subnet.254 -j ACCEPT
>
> So qubes-firewall would become simpler without the need to iterate
> over vm addresses associated with a proxy vm. Its probably more
> effective in general to focus on interfaces where possible, instead of
> IPs (can't source IP addresses be spoofed?).
>
> What do you think?
I think this doesn't work since you can have per VM firewall rules and
>
> While focusing on the vpn stuff[1] I may have stumbled upon a way to
> make the forwarding chain much simpler.
>
> Replace all the specific rules for downstream vm addresses with this:
>
> FORWARD -i vif+ -d subnet.1 -j ACCEPT
> FORWARD -i vif+ -d subnet.254 -j ACCEPT
>
> So qubes-firewall would become simpler without the need to iterate
> over vm addresses associated with a proxy vm. Its probably more
> effective in general to focus on interfaces where possible, instead of
> IPs (can't source IP addresses be spoofed?).
>
> What do you think?
some may allow DNS and some not.
Source IP address spoofing should be prevented by the rules in the "raw"
table. (see 'iptables -vnL -t raw')
HW42
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXTPajAAoJEOSsySeKZGgW0NgP/3gxFePLI0sQqS2ybue6drbH
Z5ybSaSxJYvqCtQpycIpiSPB0UwiFD/sNNdGm6lrDacOa5y1UnXOzDMFGyQyv0RP
wpMBE1HCBxOn/YCkK/BxXB0Y9Jl20TCOs6i/kDGkvi8eSRW54W6cMUwUk6bzWSx2
PlijjN7Z4ZSjk+tkoJE8HCwgYtmigE8z+0hfk/jvkMBmvRjE+NvoQiEcj7WiavGl
yXqr2PLXf+E3JB1wL/Z6hLNBkGmOj4LS26Dj+yv+AACi5UQIP9Foi5GiOGpR44BV
ymJQeHNwWpUixSgHnj3v5pA/Zeiz+627i5N3BHCZmOsV/dxlFhgfTbYyfyZO92UH
tZawNpNmaoNuSvjU+BpZGcCty5NoMbV8f7cxRrMx7tcQJtk37eYx1MzHCYmW1ZdV
P/ou+8NpSK5DE+EZDn0kQoMuyEgs03t+7FXDQLHX48JRspDZSvSo3gSCbnconVqh
uZoYnDC2UUVlnx4azaJYRWFPaFkFdzPD6sQqOb2JzDGd8z+lRpFliSntrbRjKXUs
dp6MdY9xszlY19jxI7Sq62ymqh/fy8gHYEf1kw+oIhftey7oHpL4R1bTzI1vb6xw
iUB8zMjYSbB3CSeR2g2KjGURki8xRmmhypyz5+uDIBlhEQ5QPirNED/gTcYd0bFL
13aEAWpEHRzpxQj82N33
=77zz
-----END PGP SIGNATURE-----
Chris Laprise
May 31, 2016, 12:33:52 AM5/31/16
to HW42, qubes...@googlegroups.com, Marek Marczykowski-Górecki
On 05/30/2016 10:27 PM, HW42 wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Chris Laprise:
>> Hi Marek,
>>
>> While focusing on the vpn stuff[1] I may have stumbled upon a way to
>> make the forwarding chain much simpler.
>>
>> Replace all the specific rules for downstream vm addresses with this:
>>
>> FORWARD -i vif+ -d subnet.1 -j ACCEPT
>> FORWARD -i vif+ -d subnet.254 -j ACCEPT
>>
>> So qubes-firewall would become simpler without the need to iterate
>> over vm addresses associated with a proxy vm. Its probably more
>> effective in general to focus on interfaces where possible, instead of
>> IPs (can't source IP addresses be spoofed?).
>>
>> What do you think?
> I think this doesn't work since you can have per VM firewall rules and
> some may allow DNS and some not.
>
> Source IP address spoofing should be prevented by the rules in the "raw"
> table. (see 'iptables -vnL -t raw')
>
> HW42
Chris
Chris Laprise
May 31, 2016, 7:41:45 AM5/31/16
to HW42, qubes...@googlegroups.com, Marek Marczykowski-Górecki
On 05/30/2016 10:27 PM, HW42 wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Chris Laprise:
>> Hi Marek,
>>
>> While focusing on the vpn stuff[1] I may have stumbled upon a way to
>> make the forwarding chain much simpler.
>>
>> Replace all the specific rules for downstream vm addresses with this:
>>
>> FORWARD -i vif+ -d subnet.1 -j ACCEPT
>> FORWARD -i vif+ -d subnet.254 -j ACCEPT
>>
>> So qubes-firewall would become simpler without the need to iterate
>> over vm addresses associated with a proxy vm. Its probably more
>> effective in general to focus on interfaces where possible, instead of
>> IPs (can't source IP addresses be spoofed?).
>>
>> What do you think?
> I think this doesn't work since you can have per VM firewall rules and
> some may allow DNS and some not.
>
> Source IP address spoofing should be prevented by the rules in the "raw"
> table. (see 'iptables -vnL -t raw')
>
> HW42
I still wonder if the source IPs can be spoofed by a malicious vm. In
> Hash: SHA512
>
> Chris Laprise:
>> Hi Marek,
>>
>> While focusing on the vpn stuff[1] I may have stumbled upon a way to
>> make the forwarding chain much simpler.
>>
>> Replace all the specific rules for downstream vm addresses with this:
>>
>> FORWARD -i vif+ -d subnet.1 -j ACCEPT
>> FORWARD -i vif+ -d subnet.254 -j ACCEPT
>>
>> So qubes-firewall would become simpler without the need to iterate
>> over vm addresses associated with a proxy vm. Its probably more
>> effective in general to focus on interfaces where possible, instead of
>> IPs (can't source IP addresses be spoofed?).
>>
>> What do you think?
> I think this doesn't work since you can have per VM firewall rules and
> some may allow DNS and some not.
>
> Source IP address spoofing should be prevented by the rules in the "raw"
> table. (see 'iptables -vnL -t raw')
>
> HW42
that case would a separate entry for each vif be preferable?
Chris
HW42
May 31, 2016, 11:51:21 PM5/31/16
to Chris Laprise, qubes...@googlegroups.com, Marek Marczykowski-Górecki
an interface matches the expected value. See the "raw" table.
iptables -vnL -t raw
If you think this might miss some cases please double check an report
back.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXTluMAAoJEOSsySeKZGgWKq8QAIsgcvY0J5C74J9dGgwzASk6
gtJJpzQIxrxgpI1D+IlM+QgH3dGQsFGTBiWNRjOwz5mZgjeYxGAXwT0MZsp1y3VL
CMH4jPPLAojpZMoekPDwrD0PBbGmVNR9PHLozXGdJTrg8mYMTFtxVXut+SGa62mk
NRCppnuS5KXMsqxswc8y1bob+Hbp9/+YfnXKHkjAJd6Z5aiHM5w1jRcHNb2Z3wB+
4Qc3vKjIgPTPgLDntX+P0tjl/X6rNsE2fRtA7es9OBu3ahLGOGxoHfLW9nYO48mg
p+0MFAfVhvyCaMfhlnyH/6i7C8pyNRhg53jmgACqP5Qdkd/h02u0OCrcp3b1I7fE
y15GIylFAp9lAyrH50YynF4g6JqKUThfQifhaLfvxAd85/OaWGjtMS53YbcQ5Hkd
OlD7w1N4G2pDhJPccVqKNyTwEK1E2P4afLpQAi9WpIY+4ySeKMt7MtYO0YarM2fc
JUM3R+R362ck4UTzeqMcRN2XRhSGuTgoP2F80CFhA9t+2lQNHXcVzjidyT53f1nA
myIVlVYXafZSfZIazThwD1S99j8p4+Kq5GhNFaIFDJWRrR384ZOQAJXzgNMJdgc8
skNLeHTN35G8ZIL+iGnOvNJl9WWHvWXG5AGyoSV5LeSd7GzQXcgrlygkXzwQZ+z3
FLAFTdP4M4erU2busiRq
=71Ek
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages