Qubes firewall dom0->VM interface

47 views
Skip to first unread message

David Shleifman

unread,
Apr 16, 2017, 8:29:33 PM4/16/17
to qubes...@googlegroups.com
On 01/14/2016 05:38 PM, Marek Marczykowski-Górecki wrote:
> Current proposal
> ================
. . .
> - convert the rules to iptables/whatever in ProxyVM


https://www.qubes-os.org/doc/firewall/#how-to-edit-rules
points out to the known limitation:
- whenever one specifies a rule by DNS name, it is
resolved to IP(s) at the moment of applying the rules.

Please, add to this proposal:

- keep the original name; give user an ability to trigger
resolution of all names associated with a given VM Firewall.
This ability is supposed to reduce the hardship of the aforesaid
limitation.


Thanks,
- David

Chris Laprise

unread,
Apr 17, 2017, 12:01:30 AM4/17/17
to David Shleifman, qubes...@googlegroups.com
A more usable variation of that may be to detect the presence of domain
names, and enable automatic/recurring name resolution.

--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

Tray Torrance

unread,
Apr 19, 2017, 12:02:05 AM4/19/17
to Chris Laprise, qubes-devel, David Shleifman
Note that by using dnsmasq's ipset support workarounds to this limitation could be devised. I rely on this feature for a specific proxy VM, but today I manually update the dnsmasq's config if I need to add more domains. Perhaps salt could be used to glue the dom0 mechanism to the proxy's dnsmasq's config?

--
You received this message because you are subscribed to the Google Groups "qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscribe@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/9f1ec044-1115-ba28-7e69-b7f8179d155c%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Achim Patzner

unread,
May 23, 2017, 3:34:28 PM5/23/17
to qubes...@googlegroups.com
Am 17.04.2017 um 06:01 schrieb Chris Laprise:

> On 04/16/2017 08:29 PM, 'David Shleifman' via qubes-devel wrote:
>> - keep the original name; give user an ability to trigger
>> resolution of all names associated with a given VM Firewall.
> A more usable variation of that may be to detect the presence of
> domain names, and enable automatic/recurring name resolution.

Both (but the last one especially) offer you unique and ingenious ways
of shooting yourself in both feet. There was an extensive discussion on
that somewhere on the FreeBSD mailing lists about 16 years ago (having
to do with source-based routing and split-horizon zones where resolution
of names depended on firewall (and packet forwarding rules) state.

Even without that a vulnerability in your name server might lead to
interesting results. Using symbolic names which are not just local macro
expansions should be discouraged.


Achim
Reply all
Reply to author
Forward
0 new messages