Logging Drop Packets

[cmsc...@gmail.com]

I'm trying to setup an appvm like this:

appvm -> appvm_firewall -> vpn -> vpn_firewall -> sys-net

I want to tighten the firewall rules and do a deny policy. How can I get a log of dropped firewall packet logs from appvm_firewall or vpn_firewall? I've tried a few different iptables commands but I haven't really had any success.

Thanks in advance.

[unman]

Depends whether you have a "DROP" policy set or a final rule that says
"-j DROP"
In iptables, have a rule immediately BEFORE that rule( so if policy,
have it as last rule, otherwise, penultimate).
iptables -j LOG --log-prefix "DROP "
You can put this in any firewall chain.

You could make it more complex by creating a log/drop chain and
breaking down the descriptors, but I doubt that is necessary in this
case.

If you are using nftables, (check in your sys-firewall), then you can
get the same effect by adding to your DROP statement. You don't need a
separate rule for this.

HTH

unman

[Zrubi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

unfortunately, the Qubes firewall do not support any kind of custom
rules, including logging.

Moreover it is using a mixed set of iptables and nftables which makes
it much more complicated.


I had a proposal about this exact issue before, by extending the
action with the log type of rules, but as I do not have time to check
and/or implement it, I guess it is just dropped.

Now if you want this feature, you have to replace the whole default
firewall set, which is not trivial.

- --
Zrubi
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAlyCvXsACgkQVjGlenYH
FQ0wmA/+MIoylSBSYbkrztGdPdJTlCGN83cnE9+xnuv/oE3dPXai0r7jKSVCxqq+
bZqLXVFh32O/hBZQKlpV3dGmU9q1ZPYys/S6NZl2WW1pGQ/+zdrrC1wHSQtVIoB7
AuuFpIU088QFvY6J0Vw8QlQWMKgx26/PlP0i6qHIZR8Vc7SwpUqcMcrv36E5DGwA
YZ59Cq9i2IsUgiirPzCtmz5jL7OsQqcOS5cGKqtFhfu5YqYQMhnED98EvlaAqP9l
HD23klqSWWpDyJsQ9TY1NvdEENwf6hwKGV3J2T0tRdVCvOXjrcfgbp+KCCc7WAGL
mXkBSv6TjRPJiAwI4kpn5fCj2Z+j8FQjGaDNoTUBFoOp9a1MJs9XBc5m9qAxIv3S
ua2HxTCnwlH8twHE66bdBtCX+Izd+MJbFwrBuVll7f/G8gF2crVrj/ipu2vd4/0v
wc7qKjoIQ1YayKgB4J9iRr3XNNKgJ9XF7TYPFFodYaPXUNYtxRzrU/H+02yIdyoJ
ZZ3MPc6hC2cC8eXmx9ke3zXaXnSifh8l6r6vCk60eW5nCf1TxE1mwYH1cZaKPIhO
SvuTf3RCcFB5PIVbyPuRjjcaKUgFZco634GlZj1bbOIbLeXtqe2FfcjLUUajoXMh
7iLtJxvn9nv2mxBxv6xHT2lOMyVbTbxMt+7pkXti8jMguxUMB0I=
=WqkH
-----END PGP SIGNATURE-----

[unman]

On Fri, Mar 08, 2019 at 08:07:46PM +0100, Zrubi wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 3/8/19 3:28 PM, cmsc...@gmail.com wrote:
> > I'm trying to setup an appvm like this:
> >
> > appvm -> appvm_firewall -> vpn -> vpn_firewall -> sys-net
> >
> > I want to tighten the firewall rules and do a deny policy. How can
> > I get a log of dropped firewall packet logs from appvm_firewall or
> > vpn_firewall? I've tried a few different iptables commands but I
> > haven't really had any success.
>
> unfortunately, the Qubes firewall do not support any kind of custom
> rules, including logging.
>
> Moreover it is using a mixed set of iptables and nftables which makes
> it much more complicated.
>
>
> I had a proposal about this exact issue before, by extending the
> action with the log type of rules, but as I do not have time to check
> and/or implement it, I guess it is just dropped.
>
> Now if you want this feature, you have to replace the whole default
> firewall set, which is not trivial.
>
> - --
> Zrubi

Why do you say this? It's far from my experience.

If you use a minimal Debian template for firewall, then there are only
iptables rules. It's trivial in that case to add logging. You can also
implement this by use of appropriate scripts in rc.local and /rw/config
if you want logging from the start.

Where the firewall is implemented using a nftables qubes-firewall, then
its even easier to add logging by prepending the instruction as needed in
reject rules. You can do this easily for test logging, (which is what
cmschube wants), by adding the rule manually, but it's also possible to
script it to add logging as new chains are added.

I find the Qubes firewall very customisable, and relatively easy to
manipulate as needed. Let's see if we can get a working solution that OP
can use.

[cooloutac]

I use to log everything in linux with iptables. outoing and incoming. Alot of linux users to say that practice uses too much hdd or space, which was simply not true when limiting rates. Then I would use programs to parse it and eyeball it myself.

But in Qubes its just not possible. Those scripts will only log some things not everything, and even then its too complicated. Was one of the biggest gripes I had when first using Qubes. I want to know what every connection is doing at all times.

ITL believes that you would never really find an attacker by doing these things, but I've begged to differ. But I do agree you definitely won't be stopping one.

[cooloutac]

Als with so many vms in Qubes its just not practical.
Maybe something in this thread will help you. I gave up myself.
https://groups.google.com/forum/#!msg/qubes-users/RsptaCZLDnc/NqZegFafKQAJ;context-place=topic/qubes-users/MUIxSRy-jbc

[David Hobach]

On 3/9/19 2:58 AM, unman wrote:
> On Fri, Mar 08, 2019 at 08:07:46PM +0100, Zrubi wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> On 3/8/19 3:28 PM, cmsc...@gmail.com wrote:
>>> I'm trying to setup an appvm like this:
>>>
>>> appvm -> appvm_firewall -> vpn -> vpn_firewall -> sys-net
>>>
>>> I want to tighten the firewall rules and do a deny policy. How can
>>> I get a log of dropped firewall packet logs from appvm_firewall or
>>> vpn_firewall? I've tried a few different iptables commands but I
>>> haven't really had any success.

From my point of view the "Qubes way" of doing this would be something like
appvm -> logging VM -> appvm_firewall -> vpn -> vpn_firewall -> sys-net

You can accomplish this in a rather straightforward way by using a proxy
VM with your preferred logging mechanism (sflow, iptables, tcpdump, some
IDS, ...). Alo see [1], "Network service qubes".

For iptables you'd require at least one rule in that proxy VM which
enables logging. It should be stored inside /rw/config/rc.local [1].

If you're looking for drops only, this is somewhat more complicated
because with the above, you'd just log everything.
You can however do filtering or log only ICMP replies (Qubes will send
an ICMP reply on rejected packages) and/or TCP handshakes that weren't
completed.

Of course you can also go with the other proposal by unman and modify
the Qubes firewall inside appvm_firewall. This however has the various
drawbacks mentioned inside [1], "Network service qubes". Mistakes there
can be costly even if the modification is rather easy for advanced users.

[1] https://www.qubes-os.org/doc/firewall/

[unman]

I don't think this would be "a rather straightforward way".
The reason is, of course, that using a proxyVM, would mean that packets
would be masqueraded when they reach appvm_firewall, so that appropriate
rules would not be set. Also, of course, the native Qubes firewall
structure would not apply.
I'm not saying that such a set-up could not be effected, but it would
not be straightforward and would require manual setting of forwarding
*and* firewall rules.
On balance, I continue to think that it would be easier to place logging
rules in the appvm_firewall and vpn_firewall.
If op comes back and provides details of what rules they have, and what
they want to test, we could make some progress.

[cmsc...@gmail.com]

Hi All -

I think I got what I needed on my own. It just took a bit more reading about the Qubes Firewall to figure out where to put the logging line. I was really just looking to monitor outgoing traffic to see what rules I needed to add to allow.

I do have one other question though.. Where are the rules that get added in the Qubes-GUI added and/or how does qvm-firewall <vm_name> fit into the equation? I can add rules into the qubes-gui, but I can't see to find the rules anywhere?

Thanks in advance.

Btw, thanks for the xenial install, unman..

[unman]

When you set rules in the GUI, or using qvm-firewall, the rules are set
in the proxyVM next hop up, i.e. the netvm for the qube for which you
are setting firewall rules.
The rules will be set as iptables OR as nftables, depending on what is
available in the proxyVM.

You can see them using 'iptables -L -nv', or, if you have nftables,
'nft list table qubes-firewall'.

If you have any comments on the xenial template, please pass them on.

unman

[Laszlo Zrubecz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 3/9/19 2:58 AM, unman wrote:

> Why do you say this? It's far from my experience.
>
> If you use a minimal Debian template for firewall, then there are
> only iptables rules. It's trivial in that case to add logging. You
> can also implement this by use of appropriate scripts in rc.local
> and /rw/config if you want logging from the start.

Well, these are the hardcoded rules used by Qubes:

> Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target
> prot opt in out source destination 2160K
> 1969M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
> ctstate RELATED,ESTABLISHED 28727 2456K QBS-FORWARD all -- *
> * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all --
> vif+ vif+ 0.0.0.0/0 0.0.0.0/0 28727 2456K ACCEPT all --
> vif+ * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- *
> * 0.0.0.0/0 0.0.0.0/0

As the logging in iptables is implemented as a separate jump target,
and you can only have one jump target in a rule, so if you want to
log something, you have to create 2 similar rules with the same
filters, but with different actions, as you need to place the logging
rule first, then your desired action just after the logging rule. right?

However iptables rules can be easily added only in front of the
current rules, or after all the existing rules. If you want to add
something in between, you have to calculate the rule numbers - which
is far from trivial.

So one option is to replace the whole ruleset by your own, however you
have to be compatible with the qubes solution otherwise you loose the
default features.

Or you have to parse the qubes generated rules, and insert the logging
ones as you need.


"log everything" is just simply not implemented in iptables, because
to get meaningful logs, you need to use the log-prefix to see if the
logged packet going to be dropped/accepted/rejected in the next rule.

logging just the default drops at the end of the FORWARD chain, might
be easier, as you just have to modify the hardcoded default ruleset.

> I find the Qubes firewall very customisable, and relatively easy to
> manipulate as needed.

Well, I wouldn't call it customisable, as you have to choose between
the very basic features of the qubes provided firewall implementation,
OR you need to create your custom solution.


Not to mention the "always there" style of the DNS NAT, and the ICMP
traffic...


By using nftables it would be a lot easier. The main confusion if
booth are in place, which is a not recommended way. And you most
likely have to place rules using booth framework... So I really not
sure why would we need both?

- --
Laszlo Zrubecz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAlyF/+EACgkQVjGlenYH
FQ1ULw//Wn495vvTHegT9QK5B79MepEHA1TAPQIIZEKsU51uMckKv599eXCoShWu
G7rX1Ih25xwukE7tYYxvAdwUOnyOfTWSCBHxZLUGMAbOP8gC3q+2B6r/zO9UfQcC
Kr3T6dTPS5JyVw75iPWlCXVgZU8fC6nYqGzdq17EBXlSEzWij11wDawvKiO9XFbt
YwsGgSYPxidMVlvnxztTf3SsQRCspOMXtm6mpTHWIyHzXlt1JE+x1EgpJoBS7zz0
lawxv8FcJMtBImaM4RMsVYF5tKEqeLGPqCwhdiB8YIkJNnufHypVw3oU8QSz/dge
/q1B/R1ehvEcqEuIgFuO4Kk24nOr+BbSeg+cVa+3v95r+lPzUc+YdamNEZswXoSp
CohnGaT4zY9zntBoOFPmJdSDniGCJ7rormZoNlVSj+0lRoywAHAkkJg4vBAm52O7
Tt77R+WpicVoEREqAKkOEN0LXBv4rGTRRGQA+zLBz+y9VgmqjKOp1SYTKMZmJNg9
zoXpzEMVBTR4s9oGyidFCuJUWFIbkg0HnqppOeljoyc7FHzWGa+ERmWwABefJZpr
hzHFf/2fVM9bs2vH8e4YMZMWpS2/CUrC/XQe+ClfcchXwcdEmTGMC1bwkjOrboj0
N7EF+JHJQDUdbcKQj30a2Wx8uEH2rVeCLhJtpLZVB6ORatbum5M=
=JMQb
-----END PGP SIGNATURE-----