Create Firewall Rules like *.DOMAIN.COM

259 views
Skip to first unread message

Piit

unread,
Apr 4, 2017, 4:57:59 PM4/4/17
to qubes-users
Hello,

I have successfully setup an AppVM named "cloud" which I'm using to connect to cloud services:
- Turtl (as an Evernote alternative)
- Microsoft OneDrive (which I use to store some not files which I need crossplatform / it's ok to blame me for this :-)

I got onedrived working by installing some additional packages/applications and following the manual at https://github.com/xybu/onedrive-d-old.

Now I would like to setup the App VM firewall to only allow connections to onedrive.
A description about hostnames and ports which are needed for onedrive:
Required URLs and Ports for OneDrive
https://support.office.com/en-us/article/Required-URLs-and-ports-for-OneDrive-ce15d2cc-52ef-42cd-b738-d9c6f9b03f3a

As I am not using the WebGUI but only the command line sync, I think its possible to restrict the rules even more.
I have used netstat to show which connections are open, when onedrive is synchronizing:

Every 1.0s: sudo watch -n 1 netstat -tpeW

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 1 0 cloud:51666 ec2-54-72-117-61.eu-west-1.compute.amazonaws.com:https CLOSE_WAIT user 55046 3495/turtl
tcp 0 0 cloud:33692 104.18.45.160:https ESTABLISHED user 55020 3495/turtl
tcp 0 0 cloud:49114 93.184.220.29:http ESTABLISHED user 55038 3495/turtl
tcp 0 0 cloud:32794 i-ch1-cor002.api.p001.1drv.com:https ESTABLISHED user 14655 1179/python3
tcp 0 0 cloud:32792 i-ch1-cor002.api.p001.1drv.com:https ESTABLISHED user 15705 1179/python3
tcp 0 0 cloud:52272 104.25.102.25:https ESTABLISHED user 55028 3495/turtl
tcp 0 0 cloud:32796 i-ch1-cor002.api.p001.1drv.com:https ESTABLISHED user 15710 1179/python3
tcp 0 0 cloud:48456 li1108-39.members.linode.com:https ESTABLISHED user 55551 3495/turtl
tcp 0 0 cloud:43468 fra15s16-in-f14.1e100.net:https ESTABLISHED user 54232 3495/turtl
tcp 0 0 cloud:39574 a-0011.a-msedge.net:https ESTABLISHED user 14713 1179/python3
tcp 0 0 cloud:39596 a-0011.a-msedge.net:https ESTABLISHED user 50355 1179/python3
tcp 1 0 cloud:48458 li1108-39.members.linode.com:https CLOSE_WAIT user 54706 3495/turtl
tcp 0 239388 cloud:46430 bl3302-a.1drv.com:https ESTABLISHED user 15760 1179/python3
tcp 0 0 cloud:39584 a-0011.a-msedge.net:https ESTABLISHED user 15839 1179/python3


I want to edit the App-VM Firewall but wozld to enter wildcards, how can this be done, like: *.<DOMAIN>.com ?
Or do I need to setup a rule for every host/domainname?

kind regards

-[ P

Vít Šesták

unread,
Apr 5, 2017, 12:58:01 AM4/5/17
to qubes-users
well, this is not as easy as it might sound:

Remember, the firewall operates on TCP/UDP level, so it sees no domain names, just IP addresses and ports. When you add a domain to your firewall rule, it gets resolved to IP address when the rules are applied. It does not work well when IP address is changed then (well, VM restart of even some less intrusive actions can resolve it) and I am not sure if it works well when DNS returns multiple IPs.

Implementing wildcards cannot be done this way, since there is not a way to force any DNS server to enumerate all subdomains (or at least their IPs). This would require some smarter firewall that would:

a. Sniff all DNS responses and add the routes dynamically. Not sure if this can work with DNSSEC.
b. Inspect the traffic (e.g., TLS SNI, HTTP Host headers etc.). This is protocol-specific.

Also note that domain-based filtering is imperfect and those suggestions add some another imperfection. Maybe it should be treated mainly as user mistake prevention (e.g., you click a link that should not be opened in that VM) more than preventing the VM to contact servers you don't want the VM to contact. For example, if you try to allow only HTTPS to google.com, one might try http://google.com:443. If attacker can influence your local network, she can force google.com to rersolve to any server, effectively making the firewall useless. Also, one IP address can serve multiple services (remember CloudFlare, CloudFront etc.), so you allow also some other random domains. This is not to say that firewall is completely useless, I am just pointing out what are the limitations of the firewall. There seem to be some threats that firewall can prevent, including some less sophisticated attacks.

Regards,
Vít Šesták 'v6ak'

Unman

unread,
Apr 5, 2017, 6:22:02 PM4/5/17
to Vít Šesták, qubes-users
That's pretty much all the claim that is made for the firewall in
Qubes. If you look back at Joanna's original posting (linked from the
doc page) this is explictly stated.

Remember too that there is a limit to the number of rules you can set
via the qubes-firewall tools - actually a size limit but it translates
to a limit of somewhere in the low 30s rules.

You can work around this using larger network specifications, and also
iterating over IP resolutions setting the rules directly on the
firewall using the qubes-firewall-user-script in /rw/config.


Reply all
Reply to author
Forward
0 new messages