chaining proxyvms

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sun, Apr 24, 2016 at 09:13:06PM +0200, john....@fake-box.com wrote:
> hi.
> i was playing around with proxyvms and tried following:
> i have a proxyvm A and set its firewall to an empty white-list. (and atting
> network-manager to service)
> (a) if i set A's netvm to a whonix-gw and connect a appvm through it (app->A->
> tor->fw->net), i can connect to the internet (but everything should be blocked
> by the firewall-settings)
> (b) if i set A's netvm to the firewallvm and connect a appvm through it (app->
> A->fw->net), i can't connect to the internet (as expected)
> (c) if i chain two whonix-gw (app->tot->tor->fw->net) and start a download it
> seems the traffic is routed through both, as expected. (arm shows the same
> traffic for both if i start a download)
>
> 1) is (a) an error? (i think so because it allows blocked connections)

Firewall is enforced by a ProxyVM to which a VM is connected. In case of
a), firewall settings of A would be enforced by whonix-gw. But whonix-gw
doesn't support Qubes firewall settings.
You can achieve what you want by setting those firewall rules on appvm
itself - it will be correctly enforced by ProxyVM A.

> 2) is there a working way to use a proxyvm behind a different proxyvm? (e.g.
> app->vpn->tor->fw->net)

Yes, see above.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXHSq7AAoJENuP0xzK19csjoMH/0bEnZ66K42W1N7JPrNAEfI1
VgZk6w88I1uemWyMftZuk08IaxA84IRV/aIxQQFLLBxUv2ECz9q8o6a1DRUY4FZ9
2akER7GPbsEMKCVY1n0s5OuZV8K+0L4xxxcgEW26tMnEUk/bkiRiAGk04EIkLCdp
KGDB+eX9pS9vWvE4TyRpraMz2Pkqs6KW5M2FqW2DWHLy6D1idCaFmo9ibNPVww6e
Y9cxmizE0b6xjwL0jkvfIoCknlG4yGijZQIsHCOdx1v6AL8wh+RMD8WFR4y35JLS
6QSsUQx8hK5yuSlSnKhMJ5KozQQNxTdudz9MjSmkuB4Yv1NWXzgwcssetnDCwq8=
=nsIn
-----END PGP SIGNATURE-----

chaining proxyvms	john....@fake-box.com	24/04/16 12:13	hi. i was playing around with proxyvms and tried following: i have a proxyvm A and set its firewall to an empty white-list. (and atting network-manager to service) (a) if i set A's netvm to a whonix-gw and connect a appvm through it (app->A->tor->fw->net), i can connect to the internet (but everything should be blocked by the firewall-settings) (b) if i set A's netvm to the firewallvm and connect a appvm through it (app->A->fw->net), i can't connect to the internet (as expected) (c) if i chain two whonix-gw (app->tot->tor->fw->net) and start a download it seems the traffic is routed through both, as expected. (arm shows the same traffic for both if i start a download) 1) is (a) an error? (i think so because it allows blocked connections) 2) is there a working way to use a proxyvm behind a different proxyvm? (e.g. app->vpn->tor->fw->net) -john
Re: [qubes-users] chaining proxyvms	Marek Marczykowski-Górecki	24/04/16 13:21	-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sun, Apr 24, 2016 at 09:13:06PM +0200, john....@fake-box.com wrote: > hi. > i was playing around with proxyvms and tried following: > i have a proxyvm A and set its firewall to an empty white-list. (and atting > network-manager to service) > (a) if i set A's netvm to a whonix-gw and connect a appvm through it (app->A-> > tor->fw->net), i can connect to the internet (but everything should be blocked > by the firewall-settings) > (b) if i set A's netvm to the firewallvm and connect a appvm through it (app-> > A->fw->net), i can't connect to the internet (as expected) > (c) if i chain two whonix-gw (app->tot->tor->fw->net) and start a download it > seems the traffic is routed through both, as expected. (arm shows the same > traffic for both if i start a download) > > 1) is (a) an error? (i think so because it allows blocked connections) Firewall is enforced by a ProxyVM to which a VM is connected. In case of a), firewall settings of A would be enforced by whonix-gw. But whonix-gw doesn't support Qubes firewall settings. You can achieve what you want by setting those firewall rules on appvm itself - it will be correctly enforced by ProxyVM A. > 2) is there a working way to use a proxyvm behind a different proxyvm? (e.g. > app->vpn->tor->fw->net) Yes, see above. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXHSq7AAoJENuP0xzK19csjoMH/0bEnZ66K42W1N7JPrNAEfI1 VgZk6w88I1uemWyMftZuk08IaxA84IRV/aIxQQFLLBxUv2ECz9q8o6a1DRUY4FZ9 2akER7GPbsEMKCVY1n0s5OuZV8K+0L4xxxcgEW26tMnEUk/bkiRiAGk04EIkLCdp KGDB+eX9pS9vWvE4TyRpraMz2Pkqs6KW5M2FqW2DWHLy6D1idCaFmo9ibNPVww6e Y9cxmizE0b6xjwL0jkvfIoCknlG4yGijZQIsHCOdx1v6AL8wh+RMD8WFR4y35JLS 6QSsUQx8hK5yuSlSnKhMJ5KozQQNxTdudz9MjSmkuB4Yv1NWXzgwcssetnDCwq8= =nsIn -----END PGP SIGNATURE-----