| Qubes VM Manger Firewall tab settings design | Patrick Schleizer | 25/09/15 08:00 | Hi,
do we have documentation on the things that usually technically happen when switching Qubes VM Manger Firewall tab settings? Background: I am trying to find out on how bad it would be if these settings are enabled for Whonix VMs or if these matter at all. Cheers, Patrick |
| Re: [qubes-devel] Qubes VM Manger Firewall tab settings design | Marek Marczykowski-Górecki | 25/09/15 08:20 | -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256 All that settings are in separate file - firewall.xml in the VM directory. If the VM is running, those settings are converted to iptables syntax and loaded into QubesDB of directly connected ProxyVM. The `qubes-firewall` service in the ProxyVM watch for such changes and applies the rules. There is one side effect - enabling access to "updates proxy" automatically turns on `yum-proxy-setup` service (hmm, this should be renamed to `updates-proxy-setup`) to have the VM configured to actually use the proxy. Since `qubes-firewall` service is disabled in Whonix Gw (it is, right?), nothing will happen. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJWBWY7AAoJENuP0xzK19csvJgH/1GXN2rArvvwRb8Nw1YFt5Pa tM7nAJHlwwu8iCl4nFm1nOMJ+wSYClQODge5v09UKwk6BKTWHVKsS3nTwrYiYATr vnv9t1X7AVO9RFF2S2XHbQbyWtvnPOebDAindd2CTpVgCA5mlliXkBoH8wnWSrN+ xbTJGnRu6xmOhpsgJVaLD+Pad3pFyu4LMhgTpivAUXhl9SLiGxP66D/Bf1RUezcW Ce505Hcux63bWVhHi++UNstlejjT2g7Gl7+1FFw0ZCceO42i7+GO5C/mhbICGADY RRGEioIynSJikE3nmTse23/4kFgM+iT34fmLSWy2r8/vug0bwutEYAkrm0CTcwk= =LDxI -----END PGP SIGNATURE----- |
| Re: [qubes-devel] Qubes VM Manger Firewall tab settings design | Patrick Schleizer | 25/09/15 09:47 | Marek Marczykowski-Górecki:
> On Fri, Sep 25, 2015 at 03:00:45PM +0000, Patrick Schleizer wrote: >> Background: I am trying to find out on how bad it would be if theseRight. While we're at it. https://github.com/Whonix/qubes-whonix/blob/master/lib/systemd/system/qubes-whonix-firewall.service uses: [Install] WantedBy=multi-user.target Alias=qubes-firewall.service That allows to use a) "sudo service qubes-whonix-firewall ..." and, b) well as "sudo service qubes-firewall ...". I am wondering if 'Alias=' is the right mechanism or if not better a systemd drop-in would be more appropriate and secure [wrt to further systemd updates]. One couldn't use b) anymore, but is it a problem? Cheers, Patrick |
| Re: [qubes-devel] Qubes VM Manger Firewall tab settings design | Marek Marczykowski-Górecki | 25/09/15 10:03 | -----BEGIN PGP SIGNED MESSAGE----- On Fri, Sep 25, 2015 at 04:47:07PM +0000, Patrick Schleizer wrote:I don't think that the alias here is a good one. `qubes-firewall` service has totally different purpose than `qubes-whonix-firewall` (setting firewall according to VMs settings vs loading static firewall rules and blocking all the access if something gone wrong). Drop-in for disabling qubes-firewall would be better. And some preset for `qubes-whonix-firewall.service` iQEcBAEBCAAGBQJWBX5nAAoJENuP0xzK19cs23YH/15wFL+s0y1k/WFEkUQnT+w+ aSVLCnpD0B8iSRGepkV4b6hhTs0fENcq3RP1OjnoVu0R/x1Jb+JvuRCXjMllB304 b/bfnAhC/17pgIbzzzaUavt8dqG4kaRoeotepMUmILSeOai5tR29XyrmbXeUxLQk F3imFomkr5aovc3XO45ZjzADJTeHN+Fvu02seUIZtXx44qWmAuohSCj2jyo1fGCF bz4wekATQ+hDNikUqYKSMplxa+XW18x4Qen+lI3SSa/JOivN9h9x17clViCdHgd9 Dkx7uJQHnN6UhvSLfPkGuNxxH2UhY5/egUgauxb/QKFxm8De1giS3disdgD4rG0= =tOYx -----END PGP SIGNATURE----- |
| Re: [qubes-devel] Qubes VM Manger Firewall tab settings design | Patrick Schleizer | 25/09/15 10:36 | Marek Marczykowski-Górecki:
> On Fri, Sep 25, 2015 at 04:47:07PM +0000, Patrick Schleizer wrote:Agreed. Using drop-in now. https://github.com/Whonix/qubes-whonix/commit/ce953a964bf7c3a9038aef5371cf0d672d28af9a (drop-in, not preseed, because Debian officially does not make use of them yet, so I trust more in the drop-ins.) There is another similar case. The last one in the qubes-whonix package using 'Alias='. https://github.com/Whonix/qubes-whonix/blob/master/lib/systemd/system/qubes-whonix-network.service Maybe that it also should be replaced? For one, for consistency. Also because 'Alias=' seems like a hack and not being the right mechanism for that. What do you think? Cheers, Patrick |
| Re: [qubes-devel] Qubes VM Manger Firewall tab settings design | Marek Marczykowski-Górecki | 25/09/15 10:58 | -----BEGIN PGP SIGNED MESSAGE-----So, you need to ensure that the service is enabled at some point. Does debhelper automatic script handle that? In this case the service really is override over original qubes-network.service, with the same functionality. So I'm not sure in this case. Having Alias= means that all the dependencies would still work (After=qubes-network.service in other services for example). iQEcBAEBCAAGBQJWBYs1AAoJENuP0xzK19csbqoH/RC2BwkonfQqxUrdNMtZFdRI zGr4XygSaXMzyHJLtL06f9eihR/cLs2fg9DKpckqUT8V1aDnEVdwRE622bdjw4iC vs6ceL/30uRybTgEIfFLOrxJuh7iffTZCuCaJIT1t7O0chG9du+lKyFP1v/Iq8Du s9eawzrny1fIqge2CqMLR0YtZBwl161EOILWtUHIkFwnpyQ4H+0/GH1W28+C629v soBnbaubNloVd3fZElgNfW6zxWAmTHJgFM8qHhOrISi75gFaiGmWYko+zPnWusJw Dc4mbaTUxI864iXONliVRJxc+7VUJCesUZ5JgHHRNGxFSW00m4i9sDWnvqApcp0= =rkAU -----END PGP SIGNATURE----- |
| Re: [qubes-devel] Qubes VM Manger Firewall tab settings design | Patrick Schleizer | 25/09/15 11:09 | So from https://www.whonix.org/wiki/Qubes/Create_Workstation_AppVMs and
https://www.whonix.org/wiki/Qubes/Create_Gateway_ProxyVMs the part "2. Edit ... Firewall Rules" can be removed. Undoubtedly some people will ask what settings they should set in Qubes VM Manger Firewall tab or why it's no longer recommended changing these settings. Therefore, the technical background is now documented on the Qubes-Whonix Dev page. https://www.whonix.org/wiki/Dev/Qubes#Qubes_VM_Manger_Firewall_Tab_Settings Cheers, Patrick |
| Re: [qubes-devel] Qubes VM Manger Firewall tab settings design | Patrick Schleizer | 25/09/15 11:14 | From POV of systemd / debhelper, qubes-whonix-firewall.service is just a
usual service. It will be enabled during debhelper part of qubes-whonix.postinst maintainer script. For users who update, the qubes-firewall.service will still be disabled before / after they update. And after the update/reboot, the systemd drop-in will be active to prevent starting qubes-firewall.service. Cheers, Patrick |
| Re: [qubes-devel] Qubes VM Manger Firewall tab settings design | Marek Marczykowski-Górecki | 25/09/15 11:35 | -----BEGIN PGP SIGNED MESSAGE----- On Fri, Sep 25, 2015 at 06:09:51PM +0000, Patrick Schleizer wrote:Indeed. This was needed in R2, because new DispVMs inherited only firewall rules, but not the netvm setting. So without such blocking, DispVMs started from there would have access to clearnet (more precisely: network used by DispVMs). Maybe we should introduce some mechanism which will disable firewall tab when it has no effect (= used ProxyVM have no `qubes-firewall` service enabled). If we disable `qubes-firewall` service using Services tab in Whonix Gw (probably in addition to that drop-in), this could be detected by Qubes Manager. Perhaps worth doing it as part of idea in "Timezone and other deanonymizing data in QubesDB"[1] thread (service called from template to set configure template properties). Need some more though how to do this right. [1] https://groups.google.com/d/msgid/qubes-devel/20150923202203.GY2791%40mail-itl iQEcBAEBCAAGBQJWBZPbAAoJENuP0xzK19csLN0H/0Gtryu2KBchha8fUAL4Lg1a 1vdZ2yj6bcXePi2Rc4UAjWaawLiZmBXJpoXZrFxcsRpxfd/JHhs6dYOmNePmQNYe GXzFj09WbJ6DYYWaUNyZoCPMAJa6LbgcUuHaNqzdi/qIpbKtZFrrKvRgtCIy98Dm 8IKlNnFhFImiJzqdN28fk2tNJ1g8H2k5YyGnG3lwtNGHylRZIzjx+cwNUXcUW1ut FM6kh7kUFiJVgfZ8SXuWa0r3jqyn6MOOdskTTHFyuapoeE6ujWXSn5fSyw3gfJb2 eCCHdNdpGHf13lXCB7WERqADAdOBTAdioXAWYxgKRRxy+RdYCC9UNcDjyYKd3fQ= =UEnZ -----END PGP SIGNATURE----- |