better solution to configure firewall rules?
32 views
Skip to first unread message
Sven Semmler
Jun 22, 2020, 5:38:20 PM6/22/20
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
I find myself manually entering the IP ranges from
https://api.github.com/meta into the firewall rules of my 'dev' qube.
Obviously this is tedious.
Is there a better way for me to import the ranges from
https://api.github.com/meta or any other such configuration and import
them into a qubes firewall rules?
/Sven
- --
public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAl7xJKwACgkQ2m4We49U
H7bWAxAAwFuxVTsmDAoULxP9aFEkia28S7XI6pCG4T5IOJ76DorQwHTcQn2cSEF2
+lI+Gn2YCy0J+f+4op3cqS1dfLgjY1nO1oX+BbVV0MSFqzIdepmEpyh1N+JEBlWU
nxW5g7ywONDOBgbGn8AkF+OQ7beNoX4yKmBnJaRtdOGluXH2SlOd0HOUV1COsqEM
vJoRj7vfCQOs/YmNO5BGGFQZqof/61VqPCnpg9/5fMoXBrUDIvqLcxiH0qA3bXCz
gfI/rlaPPFJPgZZZ6AlmHRp4sBRhsjJtXAc2DfHA8BgwSI4czlFUCfujPgA6Qtp5
6hYZuv39rzaX5P9vb5UdjRSAyxWyJlW7AdS1yPG01qEjNBnWbi3hCiCRQM1Mt4E1
weg315JZiPmCrl4KMjHXcqcmVNcPaL/J7nCqXJ4eGHh2o7B8XfpbEn7ZOrxdek+z
w4nZi23fdXLikfdi5Bz9uoRQouUjsCt8FwYK60J9atnf0QuCupH2pNMnfy1/8E3V
Aa44MH4EVXUcUkggcsBPIsLtD9yOR0ZORLDW0Gcp/Y/Er7Bd5vj3NXWspPL0Bm0j
GZnnW1FvpwyCsgyUfZw/V427wbzDI83NHVnHUVGFZnzcuXyw/I/aTMK5/WAANyya
5mHZ8+NfvAA9r3rSDVnKwpf34NpTeAYCFxUTIuNS53Z7GezB/uA=
=BZho
-----END PGP SIGNATURE-----
Hash: SHA512
Hi,
I find myself manually entering the IP ranges from
https://api.github.com/meta into the firewall rules of my 'dev' qube.
Obviously this is tedious.
Is there a better way for me to import the ranges from
https://api.github.com/meta or any other such configuration and import
them into a qubes firewall rules?
/Sven
- --
public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAl7xJKwACgkQ2m4We49U
H7bWAxAAwFuxVTsmDAoULxP9aFEkia28S7XI6pCG4T5IOJ76DorQwHTcQn2cSEF2
+lI+Gn2YCy0J+f+4op3cqS1dfLgjY1nO1oX+BbVV0MSFqzIdepmEpyh1N+JEBlWU
nxW5g7ywONDOBgbGn8AkF+OQ7beNoX4yKmBnJaRtdOGluXH2SlOd0HOUV1COsqEM
vJoRj7vfCQOs/YmNO5BGGFQZqof/61VqPCnpg9/5fMoXBrUDIvqLcxiH0qA3bXCz
gfI/rlaPPFJPgZZZ6AlmHRp4sBRhsjJtXAc2DfHA8BgwSI4czlFUCfujPgA6Qtp5
6hYZuv39rzaX5P9vb5UdjRSAyxWyJlW7AdS1yPG01qEjNBnWbi3hCiCRQM1Mt4E1
weg315JZiPmCrl4KMjHXcqcmVNcPaL/J7nCqXJ4eGHh2o7B8XfpbEn7ZOrxdek+z
w4nZi23fdXLikfdi5Bz9uoRQouUjsCt8FwYK60J9atnf0QuCupH2pNMnfy1/8E3V
Aa44MH4EVXUcUkggcsBPIsLtD9yOR0ZORLDW0Gcp/Y/Er7Bd5vj3NXWspPL0Bm0j
GZnnW1FvpwyCsgyUfZw/V427wbzDI83NHVnHUVGFZnzcuXyw/I/aTMK5/WAANyya
5mHZ8+NfvAA9r3rSDVnKwpf34NpTeAYCFxUTIuNS53Z7GezB/uA=
=BZho
-----END PGP SIGNATURE-----
verifia...@86.is
Jun 22, 2020, 10:19:15 PM6/22/20
to qubes...@googlegroups.com
On 2020-06-22 16:37, Sven Semmler wrote:
>
> Is there a better way for me to import the ranges from
> https://api.github.com/meta or any other such configuration and import
> them into a qubes firewall rules?
>
You can add firewall rules from Dom0. I've got a one-liner that will
>
> Is there a better way for me to import the ranges from
> https://api.github.com/meta or any other such configuration and import
> them into a qubes firewall rules?
>
read IPs from a file and add them to the firewall of an AppVM.
WARNING, once you edit the firewall rules "manually" from within Dom0,
you can no longer edit them from within the GUI. So, I recommend making
a copy of your AppVM to test with before running it for real.
The script:
cat ips.txt | while read line; do qvm-firewall appvm-name add --before 0
accept dsthost=$line; done
Where:
ips.txt is a text file containing a list of ip addresses, one per line.
appvm-name is the name of the AppVM you want to add the rules to.
Note that this script will add each IP "before 0" (meaning, at the top
of the rule list). Also note that this is set to "accept" connections
from all of the IPs. If either of these things is not what you want,
you'll need to edit it accordingly.
Sven Semmler
Jun 22, 2020, 10:30:34 PM6/22/20
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
On 6/22/20 9:19 PM, verifia...@86.is wrote:
> cat ips.txt | while read line; do qvm-firewall appvm-name add
> --before 0 accept dsthost=$line; done
Thank you! I'll look into qvm-firewall and then write a little script
> cat ips.txt | while read line; do qvm-firewall appvm-name add
> --before 0 accept dsthost=$line; done
to parse the downloaded file and fire off the respective calls.
/Sven
- --
public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6
-----BEGIN PGP SIGNATURE-----
H7aSmw//XfG81QchyOQUA8UoCUjxJ7B3XRI1xMhpca3YkQ+clKg1/ja7MvjwjvPM
kg/wFDhky1xr0BcHSvhtXOuHJiI2PAR2XcMde+1NwKIKYhfhHhs8p+bN6vPj/+Fe
vKx0LbOklt5N4CweawlbFOWfeN5xZb94VA9SLtVYgb2cmx/FDcg3VJ1t5beTB3Oh
cmo9LDF6DZ1o8n2IbZww/4viS2j/YuPbBBL7OdTF1eAe7aAE68s2/QDgz2n70xJs
1CwsGdQ3g15+mWFFI9okyBqkdUXxiEGsdrXTuD+kZfasYL+v+m5jTZAbtQMlSsAJ
+2uFbSbml+JWkzo/BAgIBZFoIhVjL4xEGGboimxQ6bs900+0Rx4Zd9crRXHaure6
9CWBaLW/cqt3ZcWtZZTBKfq7m+0w/+006W2TiQWWi2w9A/10MRWYtD6557Vkmw2d
MyTMqsRr2Mx9EC+4JSsLZLYCllz5AcNDPLwBat/Wz8VUdTSBkFTj+F3Ct4F4OPcW
JOmmARpv5zNBFho8ljvZuH8BRgACJeRMU7QfFI660KJwbTqdRqqi91iQB9vdqYWF
4rmEZiErBrO3jmVebVQ9TSzeow09lqHX+hBDlcfXRbCMD9Gtn6p3V0mGf5sC+vDn
axEEfyDRBxDGIAqL7Avujdi8WlXleSpvCvu8gpGgj69L4G+JArI=
=YrUq
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages