How find out addresses to limit outgoing connections

[Stumpy]

I read some posts about firewalls etc but haven't been able to
find/limit outgoing connections.
I have tried to add domains which seems to have worked (minus a bug or
two) but I can't seem to figure out all the domains I need to list.

example, I use a gmail account, I tried adding say gmail.com and
google.com to the list of accepted connections but it still doesn't
work. I assume there are other domains I need to add but I can't figure
out how to see what they are. I tried tcpdump and installed iptraf in
the vm but they strangely don't even show email, just amazon aws,
akamaitechnolog, and ???.1e100.net but then I tried installing umatrix
in chrome and it shows various other domains (quite a few actually).

Also, when I try to add domains the firewall window gives me an error
port number or service is invalid, but I selected "any" for service and
ports? And after adding whatever domains the first time and
saving/clicking ok, when I try to go back in to further add/modify the
firewall I get the error "firewall has been modified manually - please
use qvm-firewall for any further configuration." I haven't had much luck
using qvm-firewall beyond just the list option.

In the end, I want to have say a VM for email, where the firewall blocks
everything but access to the email service, and do the same for my
"banking VM" or "bitcoin wallet vm"

I'm at a bit of a loss so would be greatful for help.

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Take a look at this thread:

https://groups.google.com/d/topic/qubes-users/fSiFkQeoqGE/discussion

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlpLE4EACgkQ203TvDlQ
MDBnvQ/+NmurlEXasTE9nUE14APmiSDl1xWlnueJCY1sWuZLt9rriMG021AaVZS8
Csk1ETVBGVhfmB/ShAvTn18jkFbMr73Z3pykPr3ozjLfEo74WVrgsBAvAhQ/kaQG
EBV6h+c7WdOPDuaBSX7HuJnVxkEFKImO0b+Is3VxHnSP/Twz8vCBqJyKsyoqucmw
+i2ZWAauULBWm0STU7ZFzlAtDKz8jKb1VTZfKc8o6DpejSyApruff6+nk9OnjDkO
ZeeCz5LoIcvj7frEDOQJNCo5N5yJLdufyD9m7/XGnAmQ0W0ARdZyyPeO5I7h+jns
CwiocNK61QkmZZI+c0leVj9zPJKBSJoJwHf0eGdfmxMGjIOJpCyqfLozNWlPXZ3k
lihGBEHXbKt/rNyl4qEf+pHT/QykQZGVQaYVUL5BwYXr70LnZAfJ1TaijGyX+PZ3
JI/HsUlCegKycGuc5LWt6ARUu/qQxgZTv+2QLPVyGb175htCAYnoyhWA8/yA7MV9
AEMFNZpyOEt1kWHsow2Jzyrars+rOk0eNvpAz6WQJCIyjG1tRIUrxbO4I6IJSUnX
nEeecbu/Ser6swvrnoCowl2bdxxOaR9UG9DQCt4NmEjYe8bAjCJaANl+SUe8tB7m
61wpGsfw+L2dHD3/J9Ro2QtR3codlqfUjuTMvUWchKcKKj6cSKg=
=z3QR
-----END PGP SIGNATURE-----

[Tom Zander]

On Saturday, 30 December 2017 04:55:59 CET Stumpy wrote:
> In the end, I want to have say a VM for email, where the firewall blocks
> everything but access to the email service, and do the same for my
> "banking VM" or "bitcoin wallet vm"
>
> I'm at a bit of a loss so would be greatful for help.

Using gmail in your browser is indeed quite difficult to allow specifically.
Even using another protocol to a provider like google is practically
speaking not possible.
So I think you started on the hardest problem.

Instead, if you were to use for instance kolabnow.com, you'd be able to
limit your outgoing to just two hosts (imap.kolabnow.com and
smtp.kolabnow.com) which is a short list of IP addresses. (I personally use
'dig' to find out all IP addresses of a DNS).

Same with the Bitcoin wallet VM, you need to find out a series of trusted IP
addresses and only allow outgoing connections from them, and likely no
incoming connections at all.
Those IPs would be someting from friends, or some you find on;
https://bitnodes.earn.com/
But notice you need to then tell your bitcoin software to actually connect
to those IPs and likely skip any DNS lookup.

Hope that helps!
--
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel