Updates Proxy questions and possible concern
74 views
Skip to first unread message
mossy
Dec 19, 2018, 6:06:41 PM12/19/18
to qubes-users
Hello all,
I was looking to see if I could update an offline standalone VM, by
appending a line to `etc/qubes-rpc/policy/qubes.UpdatesProxy` and I now
have some questions.
First, I noticed the lines:
~~~
# Default rule for all TemplateVMs - direct the connection to sys-net
$type:TemplateVM $default allow,target=sys-net
~~~
Q1) Is this correct? Shouldn't updates be directed to sys-firewall
instead of sys-net? Are all of our templates exposed to (untrusted)
sys-net?
Hopefully I am wrong about this, but either way I'd appreciate if
someone could explain...
Q2) If I want to update an offline standalone VM called `OfflineSA`,
what would be the proper syntax in
`etc/qubes-rpc/policy/qubes.UpdatesProxy`? I have tried each of the
following without success:
OfflineSA $default allow,target=sys-net
OfflineSA $default allow,target=sys-firewall
OfflineSA allow,target=sys-net
OfflineSA allow,target=sys-firewall
$type:StandaloneVM $default allow,target=sys-net
$type:StandaloneVM $default allow,target=sys-firewall
Q3) do I need to restart my whole qubes system for any new
`etc/qubes-rpc/policy/qubes.UpdatesProxy` rules to come into effect?
Q4) can update proxies perhaps only be set via some $tag or $type?
Thank you!
-m0ssy
I was looking to see if I could update an offline standalone VM, by
appending a line to `etc/qubes-rpc/policy/qubes.UpdatesProxy` and I now
have some questions.
First, I noticed the lines:
~~~
# Default rule for all TemplateVMs - direct the connection to sys-net
$type:TemplateVM $default allow,target=sys-net
~~~
Q1) Is this correct? Shouldn't updates be directed to sys-firewall
instead of sys-net? Are all of our templates exposed to (untrusted)
sys-net?
Hopefully I am wrong about this, but either way I'd appreciate if
someone could explain...
Q2) If I want to update an offline standalone VM called `OfflineSA`,
what would be the proper syntax in
`etc/qubes-rpc/policy/qubes.UpdatesProxy`? I have tried each of the
following without success:
OfflineSA $default allow,target=sys-net
OfflineSA $default allow,target=sys-firewall
OfflineSA allow,target=sys-net
OfflineSA allow,target=sys-firewall
$type:StandaloneVM $default allow,target=sys-net
$type:StandaloneVM $default allow,target=sys-firewall
Q3) do I need to restart my whole qubes system for any new
`etc/qubes-rpc/policy/qubes.UpdatesProxy` rules to come into effect?
Q4) can update proxies perhaps only be set via some $tag or $type?
Thank you!
-m0ssy
unman
Dec 19, 2018, 7:37:27 PM12/19/18
to qubes-users
(I do)
The update proxy has always been set to sys-net by default.
The proxy used to filter traffic, but no longer does so. Again, I change
this behaviour.
Q2. OfflineSA $default allow,target=sys-net
should work: the syntax is right. (You do have proxy configured in
OfflineSA?)
Q3. No - changes in those rules come in to play straight away.
Q4. No, they can be set on an individual basis.
mossy
Dec 20, 2018, 5:29:49 AM12/20/18
to unman, qubes-users
unman:
thanks for your reply! I do not have proxy configured in OfflineSA -- I
don't see an option in qvm-prefs anymore (thought this was all now done
in rpc-policy as of qubes 4). Can you please point me to how to configure?
-m0ssy
don't see an option in qvm-prefs anymore (thought this was all now done
in rpc-policy as of qubes 4). Can you please point me to how to configure?
-m0ssy
unman
Dec 20, 2018, 7:15:17 AM12/20/18
to qubes-users
Have you installed qubes-core-agent in the standAlone? That will provide
/usr/lib/qubes/update-proxy-configs and the qubes-rpc service.
unman
Andrew David Wong
Jan 19, 2019, 8:55:30 PM1/19/19
to unman, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 19/12/2018 6.37 PM, unman wrote:
> On Wed, Dec 19, 2018 at 11:06:25PM +0000, mossy wrote:
>> Hello all,
>>
>> I was looking to see if I could update an offline standalone VM, by
>> appending a line to `etc/qubes-rpc/policy/qubes.UpdatesProxy` and I now
>> have some questions.
>>
>> First, I noticed the lines:
>>
>> ~~~
>> # Default rule for all TemplateVMs - direct the connection to sys-net
>> $type:TemplateVM $default allow,target=sys-net
>> ~~~
>>
>> Q1) Is this correct? Shouldn't updates be directed to sys-firewall
>> instead of sys-net? Are all of our templates exposed to (untrusted)
>> sys-net?
>>
>> Hopefully I am wrong about this, but either way I'd appreciate if
>> someone could explain...
>> [...]
What do you change it to? sys-firewall?
Why do you change it? Do you see some security risk with using sys-net?
If so, should we file a bug report to have this changed by default?
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlxD1QIACgkQ203TvDlQ
MDCzvQ/8CQtdEGVC7c430k2/moB18bLgflI5VpHi411gqmez+nCsS9YN9yRlMKsa
qZeMiTVSPcBr7gEFWAnM93S2lmaiUvM9wZKpyEXl4oD2eSy/0yoxh3fGH9M4WLJ2
+UyLLd9QSD3zZ0w2ljkg68aHGcvSVNxQhiC6CtAk7KmgogvU+z64kdVw/JK+QY/C
diRVgJy2WBkuUeIk88lKkBsZTD2IPdjGke2M8enMgBYhXlfEOcVb3a/ZVq3e4gP+
7ccMCWVEGxz1tTtUHyekYn00NhtxzW1CQxvaWI9IljVrXyqOpshfnqaPLM/4tuct
NsHLP/uM+HiMorAAfiIWIEYMTUBUZuzb8of/4/wJbqvDUx9fi/ltHQQC4ksKw/er
LSnSqm9wE1OgvZli+SE2LAIf2n3JvBe29bPkzr0aRONHRrERhEwS32CQeZMLOC6l
YvmJLcpY3Fhu6Q0WAR8afZnk1e92gnAC2X1en6YAfCwttC3QCVfMSQIwYRPNwUpy
1d7ixRDb39nUJb25VP6kgudEgDd/VwrES24Qisu6exOYmdqJdSBSvkbCqYDxQ/uo
Of2h5CdKIzCDy7pto0x3TWgC1qZqiRhByC1Oil7+/d+vQPF2H52DqwYJga+L4sXb
SkPBMBIRwTwx81Foq1QaeiC+JXWT8dEIaDev41cBpLguLyU7eGQ=
=EfSo
-----END PGP SIGNATURE-----
Hash: SHA512
On 19/12/2018 6.37 PM, unman wrote:
> On Wed, Dec 19, 2018 at 11:06:25PM +0000, mossy wrote:
>> Hello all,
>>
>> I was looking to see if I could update an offline standalone VM, by
>> appending a line to `etc/qubes-rpc/policy/qubes.UpdatesProxy` and I now
>> have some questions.
>>
>> First, I noticed the lines:
>>
>> ~~~
>> # Default rule for all TemplateVMs - direct the connection to sys-net
>> $type:TemplateVM $default allow,target=sys-net
>> ~~~
>>
>> Q1) Is this correct? Shouldn't updates be directed to sys-firewall
>> instead of sys-net? Are all of our templates exposed to (untrusted)
>> sys-net?
>>
>> Hopefully I am wrong about this, but either way I'd appreciate if
>> someone could explain...
>
> Q1. Yes, the default is to use sys-net. You can change this if you wish.
> (I do)
> The update proxy has always been set to sys-net by default.
> The proxy used to filter traffic, but no longer does so. Again, I change
> this behaviour.
> [...]
> Q1. Yes, the default is to use sys-net. You can change this if you wish.
> (I do)
> The update proxy has always been set to sys-net by default.
> The proxy used to filter traffic, but no longer does so. Again, I change
> this behaviour.
What do you change it to? sys-firewall?
Why do you change it? Do you see some security risk with using sys-net?
If so, should we file a bug report to have this changed by default?
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlxD1QIACgkQ203TvDlQ
MDCzvQ/8CQtdEGVC7c430k2/moB18bLgflI5VpHi411gqmez+nCsS9YN9yRlMKsa
qZeMiTVSPcBr7gEFWAnM93S2lmaiUvM9wZKpyEXl4oD2eSy/0yoxh3fGH9M4WLJ2
+UyLLd9QSD3zZ0w2ljkg68aHGcvSVNxQhiC6CtAk7KmgogvU+z64kdVw/JK+QY/C
diRVgJy2WBkuUeIk88lKkBsZTD2IPdjGke2M8enMgBYhXlfEOcVb3a/ZVq3e4gP+
7ccMCWVEGxz1tTtUHyekYn00NhtxzW1CQxvaWI9IljVrXyqOpshfnqaPLM/4tuct
NsHLP/uM+HiMorAAfiIWIEYMTUBUZuzb8of/4/wJbqvDUx9fi/ltHQQC4ksKw/er
LSnSqm9wE1OgvZli+SE2LAIf2n3JvBe29bPkzr0aRONHRrERhEwS32CQeZMLOC6l
YvmJLcpY3Fhu6Q0WAR8afZnk1e92gnAC2X1en6YAfCwttC3QCVfMSQIwYRPNwUpy
1d7ixRDb39nUJb25VP6kgudEgDd/VwrES24Qisu6exOYmdqJdSBSvkbCqYDxQ/uo
Of2h5CdKIzCDy7pto0x3TWgC1qZqiRhByC1Oil7+/d+vQPF2H52DqwYJga+L4sXb
SkPBMBIRwTwx81Foq1QaeiC+JXWT8dEIaDev41cBpLguLyU7eGQ=
=EfSo
-----END PGP SIGNATURE-----
unman
Jan 20, 2019, 7:44:22 PM1/20/19
to qubes-users
(I also dont allow outbound traffic from sys-net or sys-firewall, but
that's another story.)
Reply all
Reply to author
Forward
0 new messages