Possible to add second interface to sys-firewall?

[Ed]

What I would like to do is add a second IP to both sys-firewall and
sys-net so that I can NAT traffic from one of my VM's in/out through
these IP's. So what I end up with is two IP's on sys-net, one handling
all the traffic for most of my VM's, the other handling traffic for one
specific VM. This way I can do additional firewall restrictions on this
VM in my networks.

If I manually add the IP addresses to sys-net and sys-firewall, manually
add the destination NAT and source NAT rules to both as well, then
manually add a route in sys-net, and also force another rule into the
IPTABLES raw table on sys-net (to override a rule added by
/etc/xen/scripts/vif-routes-qubes which restricts all incoming traffic
from sys-firewall to the IP assigned by qubes to the default interface),
then I'm able to make this work.

However, this is very finicky and totally unscriptable in this
configuration, and I'd really like this to be something auto configured
on boot.

I've look and looked and don't see where I can add a second interface
definition to any config files. If I manually edit the xen
sys-firewall.conf file it just gets overwitten by qubes. I can do all
the iptables rules I need in the /rw/config scripts, but what I really
need is for sys-firewall to add another virtual interface for me.

I tried running: sudo xl network-attach sys-firewall
script=/etc/xen/scripts/vif-route-qubes ip=10.150.10.10 backend=sys-net
This will add the interface and setup sys-net with the correct routes
and rules, HOWEVER, the interface that it adds to sys-firewall has the
same IP as the existing interface which breaks all the traffic going out
of sys-firewall

Has anyone ever had any success doing something like this?

Any suggestions out there?

Thanks,
Ed

[Mike Keehan]

Wouldn't it be possible to add a second Firewall VM to be used solely
by your special single vm?

[filtration]

Can you create another sys-net chain with the second interface? You
could keep things isolated without scripting. Assuming you are using
Qubes 3.2, the interface could be assigned to sys-net-2 via VM
Settings->Devices.

[Ed]

On 10/06/2017 12:10 PM, Mike Keehan wrote:

>
> Wouldn't it be possible to add a second Firewall VM to be used solely
> by your special single vm?
>

Yes I believe this would def work, and also should be automatic/reliable
across reboots, but I was really hoping to not give up 2-4GB of RAM just
for this purpose.

[filtration]

Assuming you mean a physical interface.

[Ed]

On 10/06/2017 12:14 PM, filtration wrote:

> Can you create another sys-net chain with the second interface? You
> could keep things isolated without scripting. Assuming you are using
> Qubes 3.2, the interface could be assigned to sys-net-2 via VM
> Settings->Devices.
>

Looks like you and both Mike Keehan had the same/similar idea.

I could add a second firewall vm and use the same sys-net (I don't think
I could use a different sys-net as easily because I want to use the same
pci network device, just attach another IP)

In fact this machine already has two NIC's and two separate
sys-net/sys-firewall setups on it so I can route some vm's out entirely
separate physical interfaces.

But really I was hoping to accomplish this without adding the additional
memory overhead of another sys-firewall instance.

[Mike Keehan]

I think you will find that the firewall VM runs OK in just 500Mb, maybe
less. Search the mail list for "vm memory" - there have been a number
of discussions about how much is actually used by the system VMs. (I
can't remember the details off hand, or I would give more info!)

It is worth knowing that although a VM is initially set up with a 4Gb
memory allocation, it only uses what it needs. The rest is still
available to the other qubes etc.


Mike.

[Ed]

You know that's not a bad point. I never really looked into reducing
the memory allotment. I just know anecdotally on my systems the
firewall vm's use 2-3GB (when left with the default max of 4GB). I also
know they will run on less if I'm pushing a system out of memory but I
never though to just restrict them to less to start.

I'm not really strapped for memory on the machine I'm working with here
so it does look like adding an additional firewall VM would be the
easiest way to get what I want, it just seemed a tad wasteful to me, but
perfect is the enemy of good....

Appreciate the input!

[Unman]

I standardly reduce memory on all system qubes to 300M with no ill
effects, and restrict most of my other qubes to 400M.
Compiling and number crunching I set high.

[Ron Hunter-Duvar]

IMO, it's best to leave memory management to the OS until such time as a
definite problem is found (which would most likely show up as swapping,
which would cause massive performance problems).

I suspect you'd find if you looked closely at the vm that most of the
memory used is for caching. That's a good thing. No point having memory
sit unused and forcing to to keep downloading the same files. The moment
the cache is needed for something else, it'll be reallocated.

Ron