Qubes VM Manger Firewall tab settings design

54 views
Skip to first unread message

Patrick Schleizer

unread,
Sep 25, 2015, 11:00:51 AM9/25/15
to qubes...@googlegroups.com
Hi,

do we have documentation on the things that usually technically happen
when switching Qubes VM Manger Firewall tab settings?

Background: I am trying to find out on how bad it would be if these
settings are enabled for Whonix VMs or if these matter at all.

Cheers,
Patrick

Marek Marczykowski-Górecki

unread,
Sep 25, 2015, 11:20:36 AM9/25/15
to Patrick Schleizer, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, Sep 25, 2015 at 03:00:45PM +0000, Patrick Schleizer wrote:
> Hi,
>
> do we have documentation on the things that usually technically happen
> when switching Qubes VM Manger Firewall tab settings?

All that settings are in separate file - firewall.xml in the VM
directory. If the VM is running, those settings are converted to
iptables syntax and loaded into QubesDB of directly connected ProxyVM.
The `qubes-firewall` service in the ProxyVM watch for such changes and
applies the rules.

There is one side effect - enabling access to "updates proxy"
automatically turns on `yum-proxy-setup` service (hmm, this should be
renamed to `updates-proxy-setup`) to have the VM configured to actually
use the proxy.

> Background: I am trying to find out on how bad it would be if these
> settings are enabled for Whonix VMs or if these matter at all.

Since `qubes-firewall` service is disabled in Whonix Gw (it is, right?),
nothing will happen.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJWBWY7AAoJENuP0xzK19csvJgH/1GXN2rArvvwRb8Nw1YFt5Pa
tM7nAJHlwwu8iCl4nFm1nOMJ+wSYClQODge5v09UKwk6BKTWHVKsS3nTwrYiYATr
vnv9t1X7AVO9RFF2S2XHbQbyWtvnPOebDAindd2CTpVgCA5mlliXkBoH8wnWSrN+
xbTJGnRu6xmOhpsgJVaLD+Pad3pFyu4LMhgTpivAUXhl9SLiGxP66D/Bf1RUezcW
Ce505Hcux63bWVhHi++UNstlejjT2g7Gl7+1FFw0ZCceO42i7+GO5C/mhbICGADY
RRGEioIynSJikE3nmTse23/4kFgM+iT34fmLSWy2r8/vug0bwutEYAkrm0CTcwk=
=LDxI
-----END PGP SIGNATURE-----

Patrick Schleizer

unread,
Sep 25, 2015, 12:47:14 PM9/25/15
to Marek Marczykowski-Górecki, qubes...@googlegroups.com
Marek Marczykowski-Górecki:
> On Fri, Sep 25, 2015 at 03:00:45PM +0000, Patrick Schleizer wrote:
>> Background: I am trying to find out on how bad it would be if these
>> settings are enabled for Whonix VMs or if these matter at all.
>
> Since `qubes-firewall` service is disabled in Whonix Gw (it is, right?),
> nothing will happen.

Right.

While we're at it.

https://github.com/Whonix/qubes-whonix/blob/master/lib/systemd/system/qubes-whonix-firewall.service
uses:

[Install]
WantedBy=multi-user.target
Alias=qubes-firewall.service

That allows to use
a) "sudo service qubes-whonix-firewall ..." and,
b) well as "sudo service qubes-firewall ...".

I am wondering if 'Alias=' is the right mechanism or if not better a
systemd drop-in would be more appropriate and secure [wrt to further
systemd updates]. One couldn't use b) anymore, but is it a problem?

Cheers,
Patrick

Marek Marczykowski-Górecki

unread,
Sep 25, 2015, 1:03:49 PM9/25/15
to Patrick Schleizer, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, Sep 25, 2015 at 04:47:07PM +0000, Patrick Schleizer wrote:
> While we're at it.
>
> https://github.com/Whonix/qubes-whonix/blob/master/lib/systemd/system/qubes-whonix-firewall.service
> uses:
>
> [Install]
> WantedBy=multi-user.target
> Alias=qubes-firewall.service
>
> That allows to use
> a) "sudo service qubes-whonix-firewall ..." and,
> b) well as "sudo service qubes-firewall ...".
>
> I am wondering if 'Alias=' is the right mechanism or if not better a
> systemd drop-in would be more appropriate and secure [wrt to further
> systemd updates]. One couldn't use b) anymore, but is it a problem?

I don't think that the alias here is a good one. `qubes-firewall`
service has totally different purpose than `qubes-whonix-firewall`
(setting firewall according to VMs settings vs loading static firewall
rules and blocking all the access if something gone wrong). Drop-in for
disabling qubes-firewall would be better. And some preset for
`qubes-whonix-firewall.service`

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJWBX5nAAoJENuP0xzK19cs23YH/15wFL+s0y1k/WFEkUQnT+w+
aSVLCnpD0B8iSRGepkV4b6hhTs0fENcq3RP1OjnoVu0R/x1Jb+JvuRCXjMllB304
b/bfnAhC/17pgIbzzzaUavt8dqG4kaRoeotepMUmILSeOai5tR29XyrmbXeUxLQk
F3imFomkr5aovc3XO45ZjzADJTeHN+Fvu02seUIZtXx44qWmAuohSCj2jyo1fGCF
bz4wekATQ+hDNikUqYKSMplxa+XW18x4Qen+lI3SSa/JOivN9h9x17clViCdHgd9
Dkx7uJQHnN6UhvSLfPkGuNxxH2UhY5/egUgauxb/QKFxm8De1giS3disdgD4rG0=
=tOYx
-----END PGP SIGNATURE-----

Patrick Schleizer

unread,
Sep 25, 2015, 1:36:58 PM9/25/15
to Marek Marczykowski-Górecki, qubes...@googlegroups.com
Marek Marczykowski-Górecki:
> On Fri, Sep 25, 2015 at 04:47:07PM +0000, Patrick Schleizer wrote:
>> While we're at it.
>
>> https://github.com/Whonix/qubes-whonix/blob/master/lib/systemd/system/qubes-whonix-firewall.service
>> uses:
>
>> [Install]
>> WantedBy=multi-user.target
>> Alias=qubes-firewall.service
>
>> That allows to use
>> a) "sudo service qubes-whonix-firewall ..." and,
>> b) well as "sudo service qubes-firewall ...".
>
>> I am wondering if 'Alias=' is the right mechanism or if not better a
>> systemd drop-in would be more appropriate and secure [wrt to further
>> systemd updates]. One couldn't use b) anymore, but is it a problem?
>
> I don't think that the alias here is a good one. `qubes-firewall`
> service has totally different purpose than `qubes-whonix-firewall`
> (setting firewall according to VMs settings vs loading static firewall
> rules and blocking all the access if something gone wrong). Drop-in for
> disabling qubes-firewall would be better. And some preset for
> `qubes-whonix-firewall.service`

Agreed. Using drop-in now.

https://github.com/Whonix/qubes-whonix/commit/ce953a964bf7c3a9038aef5371cf0d672d28af9a

(drop-in, not preseed, because Debian officially does not make use of
them yet, so I trust more in the drop-ins.)

There is another similar case. The last one in the qubes-whonix package
using 'Alias='.

https://github.com/Whonix/qubes-whonix/blob/master/lib/systemd/system/qubes-whonix-network.service

Maybe that it also should be replaced? For one, for consistency. Also
because 'Alias=' seems like a hack and not being the right mechanism for
that. What do you think?

Cheers,
Patrick

Marek Marczykowski-Górecki

unread,
Sep 25, 2015, 1:58:24 PM9/25/15
to Patrick Schleizer, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

So, you need to ensure that the service is enabled at some point. Does
debhelper automatic script handle that?

> There is another similar case. The last one in the qubes-whonix package
> using 'Alias='.
>
> https://github.com/Whonix/qubes-whonix/blob/master/lib/systemd/system/qubes-whonix-network.service
>
> Maybe that it also should be replaced? For one, for consistency. Also
> because 'Alias=' seems like a hack and not being the right mechanism for
> that. What do you think?

In this case the service really is override over original
qubes-network.service, with the same functionality. So I'm not sure in
this case. Having Alias= means that all the dependencies would still
work (After=qubes-network.service in other services for example).

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJWBYs1AAoJENuP0xzK19csbqoH/RC2BwkonfQqxUrdNMtZFdRI
zGr4XygSaXMzyHJLtL06f9eihR/cLs2fg9DKpckqUT8V1aDnEVdwRE622bdjw4iC
vs6ceL/30uRybTgEIfFLOrxJuh7iffTZCuCaJIT1t7O0chG9du+lKyFP1v/Iq8Du
s9eawzrny1fIqge2CqMLR0YtZBwl161EOILWtUHIkFwnpyQ4H+0/GH1W28+C629v
soBnbaubNloVd3fZElgNfW6zxWAmTHJgFM8qHhOrISi75gFaiGmWYko+zPnWusJw
Dc4mbaTUxI864iXONliVRJxc+7VUJCesUZ5JgHHRNGxFSW00m4i9sDWnvqApcp0=
=rkAU
-----END PGP SIGNATURE-----

Patrick Schleizer

unread,
Sep 25, 2015, 2:09:56 PM9/25/15
to qubes...@googlegroups.com
So from https://www.whonix.org/wiki/Qubes/Create_Workstation_AppVMs and
https://www.whonix.org/wiki/Qubes/Create_Gateway_ProxyVMs the part

"2. Edit ... Firewall Rules"

can be removed.

Undoubtedly some people will ask what settings they should set in Qubes
VM Manger Firewall tab or why it's no longer recommended changing these
settings.

Therefore, the technical background is now documented on the
Qubes-Whonix Dev page.

https://www.whonix.org/wiki/Dev/Qubes#Qubes_VM_Manger_Firewall_Tab_Settings

Cheers,
Patrick

Patrick Schleizer

unread,
Sep 25, 2015, 2:14:31 PM9/25/15
to Marek Marczykowski-Górecki, qubes...@googlegroups.com
From POV of systemd / debhelper, qubes-whonix-firewall.service is just a
usual service. It will be enabled during debhelper part of
qubes-whonix.postinst maintainer script.

For users who update, the qubes-firewall.service will still be disabled
before / after they update. And after the update/reboot, the systemd
drop-in will be active to prevent starting qubes-firewall.service.

Cheers,
Patrick

Marek Marczykowski-Górecki

unread,
Sep 25, 2015, 2:35:20 PM9/25/15
to Patrick Schleizer, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, Sep 25, 2015 at 06:09:51PM +0000, Patrick Schleizer wrote:
> So from https://www.whonix.org/wiki/Qubes/Create_Workstation_AppVMs and
> https://www.whonix.org/wiki/Qubes/Create_Gateway_ProxyVMs the part
>
> "2. Edit ... Firewall Rules"
>
> can be removed.

Indeed. This was needed in R2, because new DispVMs inherited only
firewall rules, but not the netvm setting. So without such blocking,
DispVMs started from there would have access to clearnet (more
precisely: network used by DispVMs).

> Undoubtedly some people will ask what settings they should set in Qubes
> VM Manger Firewall tab or why it's no longer recommended changing these
> settings.

Maybe we should introduce some mechanism which will disable firewall tab
when it has no effect (= used ProxyVM have no `qubes-firewall` service
enabled). If we disable `qubes-firewall` service using Services tab in
Whonix Gw (probably in addition to that drop-in), this could be detected
by Qubes Manager. Perhaps worth doing it as part of idea in "Timezone and
other deanonymizing data in QubesDB"[1] thread (service called from
template to set configure template properties). Need some more though
how to do this right.

[1]
https://groups.google.com/d/msgid/qubes-devel/20150923202203.GY2791%40mail-itl

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJWBZPbAAoJENuP0xzK19csLN0H/0Gtryu2KBchha8fUAL4Lg1a
1vdZ2yj6bcXePi2Rc4UAjWaawLiZmBXJpoXZrFxcsRpxfd/JHhs6dYOmNePmQNYe
GXzFj09WbJ6DYYWaUNyZoCPMAJa6LbgcUuHaNqzdi/qIpbKtZFrrKvRgtCIy98Dm
8IKlNnFhFImiJzqdN28fk2tNJ1g8H2k5YyGnG3lwtNGHylRZIzjx+cwNUXcUW1ut
FM6kh7kUFiJVgfZ8SXuWa0r3jqyn6MOOdskTTHFyuapoeE6ujWXSn5fSyw3gfJb2
eCCHdNdpGHf13lXCB7WERqADAdOBTAdioXAWYxgKRRxy+RdYCC9UNcDjyYKd3fQ=
=UEnZ
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages