Networking & firewall

300 views
Skip to first unread message

Jos Bredek

unread,
Dec 11, 2016, 4:05:01 PM12/11/16
to qubes-users
Hello there,

i'm relatively new to the qubes environment. So far, i'm really excited. I just love the concept!

Anyhow, today i stubmled into a problem; using my chromecast from one of my vm's within in qubes.

As a network-technician, my first thought.. this cant be hard. Boy, was i wrong. After quite some reading, i'm still puzzled. I've noticed that the netwerking & firewall document has the status TODO. Maybe something i can lend a little help with?

I've read the following posts:
https://groups.google.com/forum/#!searchin/qubes-users/inter-vm|sort:relevance/qubes-users/lA2SgPcV9fU/U969uapYAAAJ
https://www.qubes-os.org/doc/firewall/
http://theinvisiblethings.blogspot.nl/2011/09/playing-with-qubes-networking-for-fun.html (is this still valid?).

I get the general concept.
- appVM's are connected to sys-firewall
- Sysfirewall is attached to sys-net
- no bridging involved, all routing.

But then:
- why are there subnets involved of 255.255.255.255?
- how much NATting is going on?
- what role does proxy arp play? Is it still used in 3.2?

Of course i can use wireshark and tcp dump to sort things out... but just maybe there is a good pointer to some other documentation?

Can anyone point out some more reading material? If any?

Cheers!
Jos

Marc de Bruin

unread,
Dec 17, 2016, 5:02:02 AM12/17/16
to Jos Bredek, qubes-users
Hi Jos,

>
> Can anyone point out some more reading material? If any?
>
> Cheers!
> Jos
>

I would like to know this as well!

Anybody that would like to join and share?

Thnx,

Greetz,
Marc.

Unman

unread,
Dec 17, 2016, 9:38:55 AM12/17/16
to Marc de Bruin, Jos Bredek, qubes-users
> --

There isn't any additional reading material other than the pages Jos has
referenced, and list archives
But it is (relatively) straightforward,

- how much NATting is going on?

It's all NAT.
Look at the basic iptables rules in a netvm and you will see that all
downstream traffic is subject to NAT by MASQUERADE in the postrouting
table.

iptables -L -nv -t nat:
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
0 0 ACCEPT all -- * vif+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
7 424 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0


- what role does proxy arp play? Is it still used in 3.2?
Yes, proxy arp has been re-enabled in 3.2. It isn't essential in most
use cases.


To get to Jos's question re the chromecast:
There are two elements to this: getting the qube to see the chromecast
and allowing return traffic inbound.

You need to allow UDP traffic on high ports from the qube
You need to allow TCP outbound to (I think) 8008:8009
You need to allow UDP outbound to port 1900 on multicast
You need to allow UDP traffic on high ports from the Chromecast to the
qube, so you will need to follow the guide on routing inbound traffic to
a qube.

There's no problem in using tcpdump and iptables on the firewall to see
what's going on. I tend to dump the traffic and then parse it on a
separate qube.
Judicious use of logging in iptables will help you see what's going on,
but there's enough here to get started I hope.

unman
Reply all
Reply to author
Forward
0 new messages