-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2016-09-20 10:16,
mitte...@digitrace.de wrote:
> Hey,
>
> Firewall rules are set for a specific VM/Qube. From common understanding people would probably think that those rules are active no matter what happens outside of that very VM/Qube, but in fact it seems like those rules are active if and only if there is an ProxyVM connected to that VM/Qube.
>
> Examples:
>
> 1) I can configure firewall rules for a ProxyVM, but they are not actived, if that ProxyVM is connected to a NetVM (if I connect another ProxyVM in between, this might probably work?!)
>
Correct. Normally, it wouldn't make sense to try to enforce
firewall rules for a FirewallVM. That's why the default
sys-firewall and sys-net work the way they do. However,
if you have a need for this, you're free to create your own
FirewallVMs and chain them together.
> 2) I can configure firewall rules for a AppVM, which will not be active if that VM is connected
>
Assuming you meant "unconnected," that's right. The reasoning
here is that the purpose of firewall rules is to govern network
traffic. But if a VM has no NetVM (i.e., has no network access
at all), then there's no network traffic to govern.
Take a look at these pages:
https://www.qubes-os.org/doc/qubes-firewall/
https://www.qubes-os.org/doc/networking/
> Ideas:
> a) A warning if an AppVM is (about to be) connected to a NetVM (instead of a ProxyVM).
>
> b) Do not allow "firewall rules" being set for ProxyVMs (I think Proxy-Chains are rather unlikely being used?!)
>
> c) A warning about DNS-Names in firewall rules
>
> [c) A warning if a connected ProxyVM does not activate the firewall rules]
Thanks! This general suggestion has previously been made
and is currently being tracked here:
https://github.com/QubesOS/qubes-issues/issues/2003
Also related:
https://github.com/QubesOS/qubes-issues/issues/2248
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJX4lvEAAoJENtN07w5UDAwgzwQAMou4iQfl/BV90/VJp7FO5X0
nOiqR2Mqc1094tsCuX1Lysqbsal0jUhmbAVXuxqR3iFkZiXO3u8p3o8VD1TNrZQM
Ffd2XGOrIEjGosB2CZS1mj6D/vUv8kg33eqQbmREbVU3mCzoqYoIe4NXHi5NLcHC
IJYJOFO+WqFHXhk6AEHF0F+pL2p+Vaa1macJ5XiuXzhOuwlghNGYgObllLMo2jJe
uPea/S+vqVtf5VIYJ5rKm39i+qjZIsCIWRI7SxkrNQ0EgpY5tMRPPPyAb7RVNAQu
+OSgS3YDH40y0b+fVcWQofwGGYbZU5KXZE72F0VXpycdV0XgknEJ/AqNVLWJnPwH
G97gK90CkwHboW9F9GxS0FH+cOP6V4VkLh9SujO5adhaROio5c3hCjDJuFTeQTIg
8O088SAMGUIxmjnEpuxFCeQew4BSc23NDl2ru16Z81lMuIuqgj6TXim924E14syx
YhHjQL3iyQK34n2rLmqLcHr4GDa5sQzGRfclJx9rfkiAbtFACPywlka/zaq0Y85q
kgk5IDto7yL9Zsq7OD9clSlvtg6TNbI9fL19bC8l7iV+MJ5kiFGSNraWd+RMn9dd
tA7sVaqCKqNnteWVFjsITzwDIUwAeTCldPLtwzUk0Hkofi1ebWksMVrgg/SSLvtK
HpKs3MEub72u25IfgCVp
=CxIx
-----END PGP SIGNATURE-----