Help on basic firewall settings with a proxyVPN

40 views
Skip to first unread message

nishi...@gmail.com

unread,
Aug 26, 2016, 11:49:29 AM8/26/16
to qubes-users
Hello,

I have troubles to set up a basic firewall under an AppVM running trough a proxyVM running OpenVPN inside.

When I click on the "Deny network access except" then add a global exception (like * http tcp), I can connect to the web, but this method doesn't work with my AppVM connected to the proxyVM-VPN :(

If someone knows how to set up a basic firewall to browse the web behind a VPN proxyVM and share how to do it, even if Qubes is already secured considering you can easily delete domains if they get compromised, that would be great !

Regards

Cube

unread,
Aug 26, 2016, 4:48:10 PM8/26/16
to qubes-users, nishi...@gmail.com
AFAIK firewall VM's aren't what you think, they're not for leak prevention but to keep VM's from seeing each other. That's it. Oh if you do have a single IP address you'd like to isolate that will work (doesn't happen very often).

Read up on the firewall docs on the Qubes site and the old Johanna blog.

Andrew David Wong

unread,
Aug 26, 2016, 11:12:55 PM8/26/16
to nishi...@gmail.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
If you want to be able to apply firewall rules with that setup, you'll have to
make another FirewallVM to sit in between the AppVM and the VPNVM, like this:

my-appvm --> sys-vpn-firewall --> sys-vpn --> sys-firewall -->sys-net

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXwQUuAAoJENtN07w5UDAw5YsP/0gmpXuALpMZDSbj3P4uRuZE
jbMtmsGAA88r8oK0rIjaECJ+GGQZAyK0MiI4IVmF3ubyUv9/ONozHVDXVmcGrREn
opmu3rfCGi+Qd9ny80oW1yLrxZ/EYxiIHIZwdCJ8OgC+gXaai7O0CtIW4+fj1fTE
UDTjscAImPLDaRnlrXk4PombyAx5XMqTchO4DtlE9gauhEGkYIXn/wd6+kQYGfgo
yjgsDNoTBk6QONCb0APgBRGS4kmdcMHszwMFhbywzlREf38zSkmEnxxDIYejg113
eRrlYjq+TN9i74ysFby6AadSrXG8bKLnwMnqMfXNLFnQYyVkQTtZb2hJDHpn87xf
AFUYbEx/h2Tmc4wVRTDm9F14mdp7yLgLI05M03nOios2GS3TGpBSDnNyeuEcfUeR
8OSbPJduyptHCkJHWMvpMk7ktaK5C0dCPcMFI07xgtVAG/T0OCcR5tyCwtGU1ccD
RYv5ugaIbbTNbLgZt5vtXLxeF4e/iTVvmIibNtj7W6T8a7459BCDXNTW28jlSfye
Q+TjBKcgerVidpuRtGlvz7ZbMDuknBV8osy7Ri6if8NlTVCdU5mToBc/8hhLG5jG
HC8sYbHFYDbHFBDj353e2AgYlVCXiRah/YwT6tOdKRgjp2rzgnY7L/ttTguCJu+D
tdqT2D8HXKw9tA1WUGU9
=Q3g8
-----END PGP SIGNATURE-----

nishi...@gmail.com

unread,
Aug 27, 2016, 3:40:03 PM8/27/16
to qubes-users
Yes Cube, indeed, btw I just realized you have evil people sniffing around between your local AppVMs if you want to link them, for some reason (I did a tcpdump on 1 VM that I linked to another one using documentation and I think I had probably someone in between, an MITM, but obviously both VMs were empty, I'm a newbie but not completely retarded...).

So I'm going to install and configure a software called "Arpon" to prevent this kind of ARP attacks I didn't know before, because obviously when you use 1 VM just to browse the web you are kinda safe on Qubes, but when you want to test things as a newbie, then you got the evil experienced hackers joining the party... :D

Thanks a lot Andrew for your advice, I will try this double firewall set-up after reinstalling Qubes ! Even it is unlikely dom0 would have been compromised, as I said I am pretty sure 1 of this 2 VMs got hacked and I don't want to risk another intrusion :p

Reply all
Reply to author
Forward
0 new messages