I have a bank vm, how do you restrict
135 views
Skip to first unread message
elsieb...@gmail.com
Feb 7, 2017, 3:11:54 AM2/7/17
to qubes-users
I have a bank vm, how do you restrict the browser from being able to go else where? Do you add the iprules in the vm or do you create a proxyvm and add the iprules there?
I've tried both, and created an email vm with iprules "deny everything except"
But then neither vm(s) will connect.
Is there a proper way to do this?
Or will I have to do the tinyproxy thing I've read elsewhere ?
0xDEADBEEF00
Feb 7, 2017, 3:57:44 AM2/7/17
to elsieb...@gmail.com, qubes-users
Hi,
It's my first contribution on this list.
I've tried both solution some time ago and definitly the tinyproxy solution works much better and can handle nicely dns round robin or servers behind load balancers. By the way this solution offer an other nice possibility, you can use regular expressions and for example allow .*\.mycompany\.com$ on the conter-part, you will have to trust the dns resolution.
Best,
0xdeadbeef
Sent with ProtonMail Secure Email.
--You received this message because you are subscribed to the Google Groups "qubes-users" group.To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.To post to this group, send email to qubes...@googlegroups.com.To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d3a620c9-2fce-45c5-95f9-78a988990849%40googlegroups.com.For more options, visit https://groups.google.com/d/optout.
Oleg Artemiev
Feb 7, 2017, 4:47:14 AM2/7/17
to 0xDEADBEEF00, elsieb...@gmail.com, qubes-users
On Tue, Feb 7, 2017 at 11:57 AM, '0xDEADBEEF00' via qubes-users
<qubes...@googlegroups.com> wrote:
>> I have a bank vm, how do you restrict the browser from being able to go else
>> where? Do you add the iprules in the vm or do you create a proxyvm and add
>> the iprules there?
>>
>> I've tried both, and created an email vm with iprules "deny everything
>> except"
>>
>> But then neither vm(s) will connect.
>>
>> Is there a proper way to do this?
>>
>> Or will I have to do the tinyproxy thing I've read elsewhere ?
<qubes...@googlegroups.com> wrote:
>> I have a bank vm, how do you restrict the browser from being able to go else
>> where? Do you add the iprules in the vm or do you create a proxyvm and add
>> the iprules there?
>>
>> I've tried both, and created an email vm with iprules "deny everything
>> except"
>>
>> But then neither vm(s) will connect.
>>
>> Is there a proper way to do this?
>>
>> Or will I have to do the tinyproxy thing I've read elsewhere ?
> I've tried both solution some time ago and definitly the tinyproxy solution
> works much better and can handle nicely dns round robin or servers behind
> load balancers. By the way this solution offer an other nice possibility,
> you can use regular expressions and for example allow .*\.mycompany\.com$ on
> the conter-part, you will have to trust the dns resolution.
Look also for modules like 'request policy' and 'no script' or
> works much better and can handle nicely dns round robin or servers behind
> load balancers. By the way this solution offer an other nice possibility,
> you can use regular expressions and for example allow .*\.mycompany\.com$ on
> the conter-part, you will have to trust the dns resolution.
'policeman' that implements nice GUI allowing both types in a single
place.
Request policy + 'ask for reload permission' should be enough to
control in a single VM for a few banks in single place.
Not that secure as proxying and denying in some other VM, but easy +
GUI controls + require some configuration work at start.
--
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/
Andrew David Wong
Feb 7, 2017, 6:07:10 AM2/7/17
to elsieb...@gmail.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Previously discussed here:
https://groups.google.com/d/topic/qubes-users/fSiFkQeoqGE/discussion
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYmapOAAoJENtN07w5UDAwQKkP/Rk9PPLXAPtTagkGJssRoOXU
jF50PkiCXSRRGbksmq0KUIAp5JIIlVybMha9RQUdx01z3q4fngSnaU/ORoZx6phN
RwzEc2ADjczAbvRyGZfFnA4dAGyypGlGm5gKMS6qKxDVs5IoI8ja6QK5d4R4QJfq
QD+RwRegRh1f9s5A2j33V5lPHfofgqUQydYdWEz/kEu3PsziDmGu0pptVpxIAERK
O3JzYB8fo0eqzLKduZTiH2IefhH8ZLkjytSe6ddCD0nHCDo9B+8qq6kHTDIhLT5q
vnamGnvv54I11x3KgOXsF4Ld0EYZaMJpSYT4c+Bd6WkH5/mNu736vTVkZ+od6DNA
BT807UeqKi93sMyjc8m5kX0S25wxxs/hfzdf/EV6t7BIA/RsmXM+xrr+4XTTsBch
m3VgxAEBXpgXKQKMMqHyuvfuy3JSzt7SUwLBgryxGYku0Ho+pmMENMBZSIaVUWCp
WuA3a51FwxXoz4QYqmEZriMn5JKQlyFq4NPQ2CXPKdtyW43D+vB0YdsN1j6bAGNW
eusbFrK0CC3Qa/ZAmqetCf78n1HjDCMMCYItVYzFcdYWdSj3ORy70OcVVMTMrwQz
tw8K89TqK6XzqcLmyJEhxEUEP/943HHYasy1ormkNclRqb6xmJZ/O0AK5Sd1FjqD
jDoaX1uRJYumry8UOgFB
=1vaM
-----END PGP SIGNATURE-----
Hash: SHA512
https://groups.google.com/d/topic/qubes-users/fSiFkQeoqGE/discussion
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYmapOAAoJENtN07w5UDAwQKkP/Rk9PPLXAPtTagkGJssRoOXU
jF50PkiCXSRRGbksmq0KUIAp5JIIlVybMha9RQUdx01z3q4fngSnaU/ORoZx6phN
RwzEc2ADjczAbvRyGZfFnA4dAGyypGlGm5gKMS6qKxDVs5IoI8ja6QK5d4R4QJfq
QD+RwRegRh1f9s5A2j33V5lPHfofgqUQydYdWEz/kEu3PsziDmGu0pptVpxIAERK
O3JzYB8fo0eqzLKduZTiH2IefhH8ZLkjytSe6ddCD0nHCDo9B+8qq6kHTDIhLT5q
vnamGnvv54I11x3KgOXsF4Ld0EYZaMJpSYT4c+Bd6WkH5/mNu736vTVkZ+od6DNA
BT807UeqKi93sMyjc8m5kX0S25wxxs/hfzdf/EV6t7BIA/RsmXM+xrr+4XTTsBch
m3VgxAEBXpgXKQKMMqHyuvfuy3JSzt7SUwLBgryxGYku0Ho+pmMENMBZSIaVUWCp
WuA3a51FwxXoz4QYqmEZriMn5JKQlyFq4NPQ2CXPKdtyW43D+vB0YdsN1j6bAGNW
eusbFrK0CC3Qa/ZAmqetCf78n1HjDCMMCYItVYzFcdYWdSj3ORy70OcVVMTMrwQz
tw8K89TqK6XzqcLmyJEhxEUEP/943HHYasy1ormkNclRqb6xmJZ/O0AK5Sd1FjqD
jDoaX1uRJYumry8UOgFB
=1vaM
-----END PGP SIGNATURE-----
elsieb...@gmail.com
Feb 7, 2017, 2:16:26 PM2/7/17
to qubes-users, elsieb...@gmail.com
Don't know what I did exactly, but both vm(s) (email and banking) are now working. Which didn't make sense why neither would connect.
In the end, I made two proxyvm(s) where I "denied all but..." and added the domains as they didn't connect until they did.
My original problem was, after getting the banking vm working, I started working on the email vm, then neither would connect. That's what didn't make sense. If both vms were not connected to each other, then how could one stop the other from connecting?
Well, they both work now...
Chris Laprise
Feb 8, 2017, 9:38:52 AM2/8/17
to Oleg Artemiev, 0xDEADBEEF00, elsieb...@gmail.com, qubes-users
On 02/07/2017 04:47 AM, Oleg Artemiev wrote:
> On Tue, Feb 7, 2017 at 11:57 AM, '0xDEADBEEF00' via qubes-users
> <qubes...@googlegroups.com> wrote:
>>> I have a bank vm, how do you restrict the browser from being able to go else
>>> where? Do you add the iprules in the vm or do you create a proxyvm and add
>>> the iprules there?
>>>
>>> I've tried both, and created an email vm with iprules "deny everything
>>> except"
>>>
>>> But then neither vm(s) will connect.
>>>
>>> Is there a proper way to do this?
>>>
>>> Or will I have to do the tinyproxy thing I've read elsewhere ?
>> I've tried both solution some time ago and definitly the tinyproxy solution
>> works much better and can handle nicely dns round robin or servers behind
>> load balancers. By the way this solution offer an other nice possibility,
>> you can use regular expressions and for example allow .*\.mycompany\.com$ on
>> the conter-part, you will have to trust the dns resolution.
> Look also for modules like 'request policy' and 'no script' or
> 'policeman' that implements nice GUI allowing both types in a single
> place.
>
> Request policy + 'ask for reload permission' should be enough to
> control in a single VM for a few banks in single place.
> Not that secure as proxying and denying in some other VM, but easy +
> GUI controls + require some configuration work at start.
>
Good recommendations. I'll add one to that list: HttpsEverywhere.
> On Tue, Feb 7, 2017 at 11:57 AM, '0xDEADBEEF00' via qubes-users
> <qubes...@googlegroups.com> wrote:
>>> I have a bank vm, how do you restrict the browser from being able to go else
>>> where? Do you add the iprules in the vm or do you create a proxyvm and add
>>> the iprules there?
>>>
>>> I've tried both, and created an email vm with iprules "deny everything
>>> except"
>>>
>>> But then neither vm(s) will connect.
>>>
>>> Is there a proper way to do this?
>>>
>>> Or will I have to do the tinyproxy thing I've read elsewhere ?
>> I've tried both solution some time ago and definitly the tinyproxy solution
>> works much better and can handle nicely dns round robin or servers behind
>> load balancers. By the way this solution offer an other nice possibility,
>> you can use regular expressions and for example allow .*\.mycompany\.com$ on
>> the conter-part, you will have to trust the dns resolution.
> Look also for modules like 'request policy' and 'no script' or
> 'policeman' that implements nice GUI allowing both types in a single
> place.
>
> Request policy + 'ask for reload permission' should be enough to
> control in a single VM for a few banks in single place.
> Not that secure as proxying and denying in some other VM, but easy +
> GUI controls + require some configuration work at start.
>
It will keep you from accidentally accessing pages in unencrypted form.
You can also set it to allow only https (although some banks may use a
mix of https and http).
Chris
Oleg Artemiev
Feb 10, 2017, 6:35:24 PM2/10/17
to Chris Laprise, 0xDEADBEEF00, Elsie Buck, qubes-users
banking use of policeman and https everywhere should be enough. Though
other firefox modules are also good.
Oleg Artemiev
Feb 10, 2017, 6:40:30 PM2/10/17
to Chris Laprise, 0xDEADBEEF00, Elsie Buck, qubes-users
On Sat, Feb 11, 2017 at 2:35 AM, Oleg Artemiev <grey...@gmail.com> wrote:
> On Wed, Feb 8, 2017 at 2:36 AM, Chris Laprise <tas...@openmailbox.org> wrote:
>> On 02/07/2017 04:47 AM, Oleg Artemiev wrote:
>>>>> I have a bank vm, how do you restrict the browser from being able to go
>>>>> else
>>>>> where? Do you add the iprules in the vm or do you create a proxyvm and
>>>>> add
>>>>> the iprules there?
> On Wed, Feb 8, 2017 at 2:36 AM, Chris Laprise <tas...@openmailbox.org> wrote:
>> On 02/07/2017 04:47 AM, Oleg Artemiev wrote:
>>>>> I have a bank vm, how do you restrict the browser from being able to go
>>>>> else
>>>>> where? Do you add the iprules in the vm or do you create a proxyvm and
>>>>> add
>>>>> the iprules there?
>>>> I've tried both solution some time ago and definitly the tinyproxy
>>>> solution
>>>> works much better and can handle nicely dns round robin or servers behind
>>>> load balancers. By the way this solution offer an other nice possibility,
>>>> you can use regular expressions and for example allow .*\.mycompany\.com$
>>>> on
>>>> the conter-part, you will have to trust the dns resolution.
>>>
>>> Look also for modules like 'request policy' and 'no script' or
>>> 'policeman' that implements nice GUI allowing both types in a single
>>> place.
>>> Request policy + 'ask for reload permission' should be enough to
>>> control in a single VM for a few banks in single place.
>>> Not that secure as proxying and denying in some other VM, but easy +
>>> GUI controls + require some configuration work at start.
>> Good recommendations. I'll add one to that list: HttpsEverywhere.
>> It will keep you from accidentally accessing pages in unencrypted form. You
>> can also set it to allow only https (although some banks may use a mix of
>> https and http).
> look also for uMatrix, Privacy Badger, force cache loading, For
> banking use of policeman and https everywhere should be enough. Though
> other firefox modules are also good.
forgot to mention uBlock Origin .
>>>> solution
>>>> works much better and can handle nicely dns round robin or servers behind
>>>> load balancers. By the way this solution offer an other nice possibility,
>>>> you can use regular expressions and for example allow .*\.mycompany\.com$
>>>> on
>>>> the conter-part, you will have to trust the dns resolution.
>>>
>>> Look also for modules like 'request policy' and 'no script' or
>>> 'policeman' that implements nice GUI allowing both types in a single
>>> place.
>>> Request policy + 'ask for reload permission' should be enough to
>>> control in a single VM for a few banks in single place.
>>> Not that secure as proxying and denying in some other VM, but easy +
>>> GUI controls + require some configuration work at start.
>> Good recommendations. I'll add one to that list: HttpsEverywhere.
>> It will keep you from accidentally accessing pages in unencrypted form. You
>> can also set it to allow only https (although some banks may use a mix of
>> https and http).
> look also for uMatrix, Privacy Badger, force cache loading, For
> banking use of policeman and https everywhere should be enough. Though
> other firefox modules are also good.
elsieb...@gmail.com
Feb 11, 2017, 6:04:14 PM2/11/17
to qubes-users, elsieb...@gmail.com
Well I hate to beat a dead horse...
Nether vm(s) will connect without refreshing several multiple times. This isn't acceptable. I prefer dnsmasq rather than some firefox addon. Actually, I'm pretty sure dnsmasq won't do in this case. Some other solution...
elsieb...@gmail.com
Feb 11, 2017, 8:21:50 PM2/11/17
to qubes-users, elsieb...@gmail.com
I tried tinyproxy, I'm fairly certain proxies in general willNOT work with https.
Am I right about this? Or have I not done something right?
Am I right about this? Or have I not done something right?
Andrew David Wong
Feb 11, 2017, 9:08:56 PM2/11/17
to elsieb...@gmail.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
https://groups.google.com/d/topic/qubes-users/fSiFkQeoqGE/discussion
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
pCQ9zBg5NBA85rjPLXXhq1uLcmKloIHEnBTLqWboUQqDMtM5MToNzzs/fBNkjuUw
HkAJfkpazjBNNvtS8E5XX77O7GTylJKtksk2iS6E0+RInyZAHrQs1c5tBLuss321
8hjgKQ75pQHQt/mqurV9YRfxJoxZOlCotzfXqWwoHEaRhsDBGxuius9DtHrs6Wqf
FVeHUYAZxR4ZTsmBUAEgwMwRguldUwIXZWf8ueYt+nYcCYzADXIet4YwqyA1wbbl
DZUxJn/J7CT1SReUBmlWzH+e45eTJxYAD5TDFJ5V8x39nTYSc/zJ1yTUPTPd6BgR
boQ61/s2DECsN6gB8SXu1V/FpMOxK0YHaYyEJMxinH4Vph8AX6lcJR3CWD6L5hhk
zsYG2OYtGbCq9sEUQrhmyFKR+sh5TBE0dzn+bFVh6jFazZx04nXaInowV3ivS/tG
3SLiWhW/vVJwad+tGI1oMzlIFqf9jjOnGsJnwzKaSXZLbzG6exbCXQ7s5cGB2rEv
ZhAYDZd5krMkcGsJGrP0uz8JvbAlTPuORzwK+CPLYwPobSwt+1bobnK1AYVhX85f
vI88PBNkK1BbS9oJtT3TACPtdZa4KGrY3ZO9edP07mKN2JM5OlDhjHSc6pQg3vyX
fvAOQ9yVNBVNlVL7/PaI
=dByr
-----END PGP SIGNATURE-----
elsieb...@gmail.com
Feb 12, 2017, 12:46:21 AM2/12/17
to qubes-users, elsieb...@gmail.com
On Saturday, February 11, 2017 at 9:08:56 PM UTC-5, Andrew David Wong wrote:
>
> You should try to the method I described here:
>
> https://groups.google.com/d/topic/qubes-users/fSiFkQeoqGE/discussion
>
>
> You should try to the method I described here:
>
> https://groups.google.com/d/topic/qubes-users/fSiFkQeoqGE/discussion
>
The difference being instead of google.com use 74.125.192.113, 74.125.192.100, 74.125.192.102, 74.125.192.138 etc?
And instead of accounts.google.com use 172.217.5.237?
Andrew David Wong
Feb 12, 2017, 3:01:23 AM2/12/17
to elsieb...@gmail.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
Please try reading it again.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
LflMhBtvfEfl3XtxXcqorH9egBwC93l8xNh28QWSqR+W82AsKA5EuhxP8qWyF4MG
dtRLonjIKeA8pSgmMnmTLpzsG4sjP+BqCCB2gdo93LNpb8/h/vakvGpQvUXak3eA
/EMSFeS2lKd3fe1csaText2SrXbGiK6oqLFjuBbLiLQALkFQLxoyNI93kS8q4byr
4NgCABwhE2DWKCkQ9GiwJClp267DChHy2cTnr4BHOTJAX8kyNpsaKWHwPVyBZjBn
I1xMqMhtiPyGajgwL0jqvVwImmfpjU8Jg6HzgBoGh0ujIx832MjmpIGiXhHa35zn
Eon0Cihi6YXsL9ehBfH/klyvInBnZS8ywhz8i92x4qju/5w5SbzFyCRy7P8LrpAN
tyX9lB0LU0RWSzRFsedtGMmFq5UOqK6Sm0CmMFkD2PCOxdOhD7yhZhha5Zs9NdVF
2Mevucet7GkXuiArOuZW7tTtqAvDssW0F1+KPyAWQk3I1ZA5hBK/hRZxF98dZFwz
cwhIMoXbBabfQUFKXTvw0Fi8+aOM2XPvCdKhwSKnPMcpEyF156IuALFBcI6Wrj1N
Sgs1hCRnjBIENZdhBED7aj8dItiEtrbuUd218qSfLCuSFSf25TksLvsplFVgZz39
LOjSir1xeVDRtmHcidiD
=eWLb
-----END PGP SIGNATURE-----
elsieb...@gmail.com
Feb 12, 2017, 12:55:25 PM2/12/17
to qubes-users, elsieb...@gmail.com
On Sunday, February 12, 2017 at 3:01:23 AM UTC-5, Andrew David Wong wrote:
...
> No. I explain the procedure in the first post of that thread.
> Please try reading it again.
...
...
> No. I explain the procedure in the first post of that thread.
> Please try reading it again.
Done, works exactly as advertised ! And both vm(s) actually work !
Thank you!
Reply all
Reply to author
Forward
0 new messages