traffic with firewall VM private address leaving Qubes?

93 views
Skip to first unread message

Robert William Fuller

unread,
Jun 2, 2013, 7:17:52 PM6/2/13
to qubes...@googlegroups.com
I was looking at the logs for my external firewall appliance (pfSense)
and I found some traffic blocked on its LAN interface. The blocked
traffic has a source address of the Qubes firewall VM, 10.137.1.5.
Naturally, my firewall rules block (and log) traffic from the LAN subnet
that does not have a LAN subnet address. Traffic ought not to make it
onto the wire with an untranslated firewall VM address. Anybody else
see this?

Lest you think I am insane--I questioned my own sanity when I saw
this--I have attached a screenshot of the firewall log.

Rob
snapshot.png

Marek Marczykowski

unread,
Jun 3, 2013, 7:32:47 AM6/3/13
to Robert William Fuller, qubes...@googlegroups.com
Looks like missing MASQUERADE rule in netvm iptables. This rule is statically
added at netvm startup and shouldn't be removed in any time...
Does time of such connections corresponds with some network event (like
reconnect in networkmanager or system startup)?

--
Best Regards,
Marek Marczykowski
Invisible Things Lab

signature.asc

Zrubecz Laszlo

unread,
Jun 3, 2013, 8:06:59 AM6/3/13
to qubes...@googlegroups.com
On 3 June 2013 13:32, Marek Marczykowski
<marm...@invisiblethingslab.com> wrote:

> Looks like missing MASQUERADE rule in netvm iptables.

Yes this should be the reason. I had have this problem before, but
wasn't able to reproduce it...
Then this problem has not occured for a long time and just forget about it...


You can check it inside your net/firewall vm:

WiFi:~/ $ sudo iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
PR-QBS all -- 0.0.0.0/0 0.0.0.0/0
PR-QBS-SERVICES all -- 0.0.0.0/0 0.0.0.0/0

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
^^^^^^^^^^^^^^^^^^^^^


--
Zrubi

Robert William Fuller

unread,
Jun 3, 2013, 11:32:06 AM6/3/13
to qubes...@googlegroups.com
I suspect it might correspond with resume from sleep, but I cannot test
it at this moment.

Rob

signature.asc
Reply all
Reply to author
Forward
0 new messages