VM Manager update / VMM setup for AppQube for web or mail only?
John S.Recdep
VMs, and I believe the 'refresh' VMM is gone now? Is that right, so I
assume it auto-refreshes in Q4.0 ?
My question is simple, and sorry I'm iptables/fw illiterate but I was
thinking for some time. For another layer of security I should use the
VMM fw , which currently is blank in all the AppVMs except for one
where in the Firewall rules Tab I've entered :
address *
Service https
Protocol TCP
and
address *
Service http
Protocol TCP
in 9/10 of my AppVMs I am just webbrowsing ; occasionally I use
Hexchat or VLC , Signal or other messengers
I use Thunderbird in it's own AppVM
Is there anything further I would want for a Web only fw in the VMM
and
What should I use for Thunderbird ?
address *
Service SMTP
Protocol ANY
address *
Service IMAP
Protocol TCP
address *
Service IMAPS
Protocol TCP
or do most folks just not bother with further fw AppVM settings
Lastly, what exactly happens in sys-firewall with default settings ?
thx
sm...@tutamail.com
I would try to find the IP of the email provider if you are using a VM for email, e.g. Tutanota's IP address is: 81.3.6.162(no IMAP wit them), therefore my firewall settings for that VM would be:
IP: 81.3.6.162
Service: https (or port 443)
Protocol: TCP
Things I have learned about the firewall include:
1) You can type a port number into the service field vs just using whats in the "Services" dropdown selection
2) MXToolbox is a good tool to find an IP address of a website
3) I created a print VM that only allows access to my networked printer IP and the network printer's port. With this VM I can access only the printer. Maybe your vault uses this VM as its DVM. I don't trust printers in general but at least its restricted
For web only 443(https) and 80(http) are all that is needed for the most part. I believe ICMP(pings) and port 53(DNS) are allowed automatically. Open to being corrected? It would be nice to control the DNS more (Quad9 DNS resolver or OpenDNS). Not sure how to do this with ease.
For Thunderbird, you could research your email providers IP and change the "*"/ANY for the specific IPs or IP.
Google, Apple and others generally publish the ports needed for a service to work.
Qubes team I would agree this latest update is working like a charm and has improved Qubes Manager and the Fedora/Pulse Audio update problem I was having. Thank you again for the work!
John S.Recdep
> I'll take a shot, also willing to learn more if I am missing something:
>
> I would try to find the IP of the email provider if you are using a VM for email, e.g. Tutanota's IP address is: 81.3.6.162(no IMAP wit them), therefore my firewall settings for that VM would be:
>
> IP: 81.3.6.162
> Service: https (or port 443)
> Protocol: TCP
>
> Things I have learned about the firewall include:
> 1) You can type a port number into the service field vs just using whats in the "Services" dropdown selection
> 2) MXToolbox is a good tool to find an IP address of a website
> 3) I created a print VM that only allows access to my networked printer IP and the network printer's port. With this VM I can access only the printer. Maybe your vault uses this VM as its DVM. I don't trust printers in general but at least its restricted
>
> For web only 443(https) and 80(http) are all that is needed for the most part. I believe ICMP(pings) and port 53(DNS) are allowed automatically. Open to being corrected? It would be nice to control the DNS more (Quad9 DNS resolver or OpenDNS). Not sure how to do this with ease.
>
> For Thunderbird, you could research your email providers IP and change the "*"/ANY for the specific IPs or IP.
allowed access.
Thats true, as per the Qubes docs on network printers, I cloned the F
Template and installed the printer driver in it, then use it as the
Template for an AppVM that just does printing, but occasional I'll
browse to some URL to print a webpage. BUT, I also use the AppVM as the
default for disp appvm's to be based on so I can print from attachments
to emails etc , and hence, for the vault, it was also the default...
so did go and change that fwiw :)
PS
AM not using webmail, as primary, so would need more something for IMAP
or ? IMAPS , not sure if it is really necessary on top of whatever
sys-firewall does etc
which is why I was asking what if anything typical qubes users do with
the firewall tab in the VMM
sm...@tutamail.com
For example:
I have a DVM setup for printing only, the firewall rules on that DVM are:
Address: Printers wireless IP = 192.168.1.6 (fixed IP in my case)
Service(or port): 515 (Canon) or 9100 (HP) or other ports might be needed including 631, 427. Research your printer for whats required...
Protocol: TCP only
For my email IMAP AppVM(In the email AppVM "Firewall" tab):
2 Rules-
Address: 66.11.4.135 (imap.fastmail.com)
Service(or port): 993
Protocol: TCP
Address: 66.11.4.140 (smtp.fastmail.com)
Service(or port): 465
Protocol: TCP
(To be honest I use a different email provider so the IP and ports are different but you get the idea. This info as with my own is usually published on thesite or available by asking the network admin)
My "Web Surfing" DVM has no firewall rules i.e. "Allow All" which I can also print from. This could be tightened up if needed...
I have played with my VPN AppVM as follows(kinda kill switch?):
Address: 168.1.75.17 (IP address to my VPN connection)
Service(or port): 1194
Protocol: TCP
You might have a AdminVM for your router, firewall or switch which could be:
Address: 192.168.4.6
Service(or port): 31006 (I think there are +65000 ports available)
Protocol: TCP
My sys-firewall does not have any restrictions
With this set up, I can:
a) Assign the Print DVM to my Vault and Email AppVM, I think most important for email Appvm to prevent a malicious attachment from "calling home" when opened(Althoug it could go thru my printer?).
b) Assign the web surfing DVM to my "untrusted" domain
c) Have a restricted AppVM for Web GUI admin functions
I just take a more strict approach and block ALL then whitelist when needed...for me this gives me what I need. Again open to feedback if this is wrong...