how to investigate ports which needs to be open when firewall rules seems to be to restricted
21 views
Skip to first unread message
PR
May 18, 2017, 4:55:31 PM5/18/17
to qubes-users
Hello,
when using AppVMs for special purposes, I like to use deny all firewall rules and only open the neccessary ports.
Unfortunately this means a step-by-step approach to find out which domains and ports needs to open.
Question:
Where can I find a log file which shows what the firewall is blocking from inside (AppVM) to outside (WAN).
I know that I've missed some ports to get things up and running, but I don't know where to look for them.
- P
Unman
May 18, 2017, 6:01:44 PM5/18/17
to PR, qubes-users
You create a log file by inserting a new rule in the iptables chain,
using the LOG target.
Let's say you want to check what's happening on sys-firewall to
traffic from 10.137.1.101
iptables -L -nv will show the current rules.
Count where the current DROP rule appears in the FORWARD chain - say,
it's at position 4.
Then insert a LOG rule before that DROP rule:
iptables -I FORWARD 4 -s 10.137.1.101 -j LOG
Now all the DROPPED traffic will be logged, and you can use dmesg to
inspect those logs.
unman
PR
May 18, 2017, 6:21:13 PM5/18/17
to Unman, qubes-users
Hello Unman,
On 05/19/2017 12:01 AM, Unman wrote:
> On Thu, May 18, 2017 at 01:55:31PM -0700, 'PR' via qubes-users wrote:
>> Hello,
>>
>> when using AppVMs for special purposes, I like to use deny all firewall rules and only open the neccessary ports.
>> Unfortunately this means a step-by-step approach to find out which domains and ports needs to open.
>>
>> Question:
>> Where can I find a log file which shows what the firewall is blocking from inside (AppVM) to outside (WAN).
>> I know that I've missed some ports to get things up and running, but I don't know where to look for them.
I assume that this rule is non-persistent and will not survive a reboot
of sys-net, correct?
This would be great as I only need this rule to fine tune my firewall
settings.
- P
On 05/19/2017 12:01 AM, Unman wrote:
> On Thu, May 18, 2017 at 01:55:31PM -0700, 'PR' via qubes-users wrote:
>> Hello,
>>
>> when using AppVMs for special purposes, I like to use deny all firewall rules and only open the neccessary ports.
>> Unfortunately this means a step-by-step approach to find out which domains and ports needs to open.
>>
>> Question:
>> Where can I find a log file which shows what the firewall is blocking from inside (AppVM) to outside (WAN).
>> I know that I've missed some ports to get things up and running, but I don't know where to look for them.
> Hello,
>
> You create a log file by inserting a new rule in the iptables chain,
> using the LOG target.
>
> Let's say you want to check what's happening on sys-firewall to
> traffic from 10.137.1.101
> iptables -L -nv will show the current rules.
> Count where the current DROP rule appears in the FORWARD chain - say,
> it's at position 4.
> Then insert a LOG rule before that DROP rule:
> iptables -I FORWARD 4 -s 10.137.1.101 -j LOG
>
>
> Now all the DROPPED traffic will be logged, and you can use dmesg to
> inspect those logs.
>
> unman
perfect, thanks!!
>
> You create a log file by inserting a new rule in the iptables chain,
> using the LOG target.
>
> Let's say you want to check what's happening on sys-firewall to
> traffic from 10.137.1.101
> iptables -L -nv will show the current rules.
> Count where the current DROP rule appears in the FORWARD chain - say,
> it's at position 4.
> Then insert a LOG rule before that DROP rule:
> iptables -I FORWARD 4 -s 10.137.1.101 -j LOG
>
>
> Now all the DROPPED traffic will be logged, and you can use dmesg to
> inspect those logs.
>
> unman
I assume that this rule is non-persistent and will not survive a reboot
of sys-net, correct?
This would be great as I only need this rule to fine tune my firewall
settings.
- P
Unman
May 18, 2017, 7:08:20 PM5/18/17
to PR, qubes-users
Reply all
Reply to author
Forward
0 new messages