Not using firewall rules correctly?

[Gaiko Kyofusho]

I thought I would make use of Qubes firewall feature and try blocking some sites. I 1st tried in the firewallVM -> settings -> firewall rules and added some sites, doubleclick.net for example

I closed it etc then went back to it and saw this error:

The sys-firewall AppVM is not network connected to a FirewallVM

You may edit the sys-firewall VM firewall rules but these will not take effect until you connect it to a working firewallVM

?? I was editing the rules in the sys-firewall VM so I am not sure about that, unless perhaps because I have a VPN running? (the the VPN is behind not infront of the firewall).

I tried the same setup/rules but instead of in the sys-firewall VM i tried it in my personalVM and while i didn't get an error there, it also didn't seem to block sites like doubleclick.net?

I assume I am doing something wrong but am not sure what as I thought I was doing as the qubes firewall doc instructed?

[Unman]

The Qubes firewall is set for each qube.
So if you want to block a particular qube from accessing a site you make
a change in the firewall for that qube, and it is implemented in iptables
on the proxyVM upstream of the qube.

You have tried to set a rule on the firewallVM, and the error message is
telling you that sys-net does not act as a firewallVM.

If you want to block traffic FROM sys-firewall then you can set iptables
rules ON sys-firewall and set them from rc.local or
qubes-firewall-user-script in /rw/config.
Alternatively you can write custom rules in sys-net and implement them
there to block traffic from downstream qubes.

A major problem in doing this is that iptables acts on IP addresses. If
you want to block something like doubleclick.net then you would
have to block all the IP addresses associated with that domain. An
alternative approach would be to make entries in /etc/hosts resolving
to a local address. This stops any DNS resolution and effectively blocks
access to the site. If you look online there are many examples of hosts
files that use this technique to block access to questionable sites.

hth

unman

[Gaiko Kyofusho]

On Sat, Apr 29, 2017 at 6:45 PM, Unman wrote:

On Sat, Apr 29, 2017 at 06:13:46PM -0400, Gaiko Kyofusho wrote:
> Thanks, I looked up about host files, and found the
> github.com/StevenBlack/hosts file which is handy but what I am still a bit
> confused about is where to put it. The reason I assumed dom0 before was I
> thought anything put in /etc/ would be erased on reboot which seems to be
> happening, is there someway around this or perhaps I should be putting it
> in the template?
>

You can put the file in /rw/config, and then in /rw/config/rc.local
include:
cat /rw/config/hosts >> /etc/hosts
Or you can use bind-dirs to make /etc/hosts survive a reboot.

Thanks. I am not sure how to bind dirs but I understand putting the file in the config dir and cat'ing it into /etc/hosts... but since those are write protected dirs would the rc.local execute those commands as root (or su or sudo not sure about the terminology here)? I ask because when i try:

source rc.local 

it gives me permission denied errors, I tried adding "sudo" in front but that didn't seem to help?

[Gaiko Kyofusho]

oops, sent prematurly. When I try to restart the vm, then go into the terminal and:

less /etc/hosts

it still seems to be the origonal and not updated hosts?

[Drew White]

The hosts file is one of the files in the base, so it's always replaced.

I recommend creating a hosts file in the /rw directory, then in rc.local deleting the hosts file and creating a link to the one in /rw

That's what I do, and it works like a charm.

Other than that, you can set up an internal DNS server that hangs off the proxyVM to handle all DNS requests from all other guests that hang off that ProxyVM.

It's just another simple solution.

[cooloutac]

to filter http is a pain. I use lists from iblocklist.com in peerguardian on debian vm. so you can use mouse to temp allow stuff sometimes. it blocks like between 2 and 3 mil ip addresses. only ipv4 though and probalby some overlap. I disable ipv6 in grub. but you have to not use the pc or have crazy discipline.

[Gaiko]

Thanks, I will give that a try.

[Gaiko]

So when you say in a debian vm, do you happen to mean as a debian vm via proxy? Like in the middle of your vm?

Slightly off topic but would sites "see" host files or peergaurdian (ie blocking but not at the browser level) as blocking? Some sites give you guff about blocking and there is also the privacy aspect of making ones self even more unique.

thx!

[cooloutac]

you can put it in a proxy too. I wouldn't trust it in anything trusted or sensitive.

Some sites do give a warning, but its rare. Usually, something on a site just doesn't work or load till you allow something. To filter all these scripts and ips from websites really isn't that practical. I'm a little nuts too cause I only temp allow stuff 90% of the time. The use is similar to noscript, but for ips.