Question on the new format of rules for Qubes mirage firewall
60 views
Skip to first unread message
pr...@tutanota.de
Jul 6, 2019, 1:09:52 AM7/6/19
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
With the old format of rules for the mirage firewall I had the following setup:
...
let git_addr = Ipaddr.V4.of_string_exn "192.168.1.101"
let allowed_to_git = List.map Ipaddr.V4.of_string_exn
[ "10.137.0.20" ;
"10.137.0.21"
]
let local_subnet = Ipaddr.Prefix.of_string_exn "192.168.0.0/16"
let mgmt_local = Ipaddr.V4.of_string_exn "10.137.0.22"
let from_client = function
| { src = `Client c; dst = `External e } when Ipaddr.Prefix.mem e local_subnet
&& c#other_ip = mgmt_local -> `NAT
| { src = `Client c; dst = `External e } when e = Ipaddr.V4 git_addr
&& List.mem c#other_ip allowed_to_git -> `NAT
...
Is it possible to get the same functionality with the new rules using the prefix
and the lists of addresses? It would also be useful to be able to block prefixes
as well if that's possible.
Thanks for your help
-----BEGIN PGP SIGNATURE-----
iIgEARMKADAWIQRFNnsoPo7HH0XEMXc88cBGMbAIWAUCXR6YDBIccHJhZ29AdHV0
YW5vdGEuZGUACgkQPPHARjGwCFhrWwD9HZeHlNTUmw0R2gjZHqkTaqJ5rZYSv7rb
l4QdI0Y2POoA/1h50GNz+LL/XXlGJyfwGjSq+kKpbX8D1mqiJ1gJXUXw
=rWJK
-----END PGP SIGNATURE-----
Hash: SHA512
Hi,
With the old format of rules for the mirage firewall I had the following setup:
...
let git_addr = Ipaddr.V4.of_string_exn "192.168.1.101"
let allowed_to_git = List.map Ipaddr.V4.of_string_exn
[ "10.137.0.20" ;
"10.137.0.21"
]
let local_subnet = Ipaddr.Prefix.of_string_exn "192.168.0.0/16"
let mgmt_local = Ipaddr.V4.of_string_exn "10.137.0.22"
let from_client = function
| { src = `Client c; dst = `External e } when Ipaddr.Prefix.mem e local_subnet
&& c#other_ip = mgmt_local -> `NAT
| { src = `Client c; dst = `External e } when e = Ipaddr.V4 git_addr
&& List.mem c#other_ip allowed_to_git -> `NAT
...
Is it possible to get the same functionality with the new rules using the prefix
and the lists of addresses? It would also be useful to be able to block prefixes
as well if that's possible.
Thanks for your help
-----BEGIN PGP SIGNATURE-----
iIgEARMKADAWIQRFNnsoPo7HH0XEMXc88cBGMbAIWAUCXR6YDBIccHJhZ29AdHV0
YW5vdGEuZGUACgkQPPHARjGwCFhrWwD9HZeHlNTUmw0R2gjZHqkTaqJ5rZYSv7rb
l4QdI0Y2POoA/1h50GNz+LL/XXlGJyfwGjSq+kKpbX8D1mqiJ1gJXUXw
=rWJK
-----END PGP SIGNATURE-----
Thomas Leonard
Jul 8, 2019, 8:51:36 AM7/8/19
to qubes-users
On Saturday, July 6, 2019 at 6:09:52 AM UTC+1, pr...@tutanota.de wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi,
>
> With the old format of rules for the mirage firewall I had the following setup:
>
> ...
> let git_addr = Ipaddr.V4.of_string_exn "192.168.1.101"
>
> let allowed_to_git = List.map Ipaddr.V4.of_string_exn
> [ "10.137.0.20" ;
> "10.137.0.21"
> ]
>
> let local_subnet = Ipaddr.Prefix.of_string_exn "192.168.0.0/16"
>
> let mgmt_local = Ipaddr.V4.of_string_exn "10.137.0.22"
>
> let from_client = function
> | { src = `Client c; dst = `External e } when Ipaddr.Prefix.mem e local_subnet
> && c#other_ip = mgmt_local -> `NAT
> | { src = `Client c; dst = `External e } when e = Ipaddr.V4 git_addr
> && List.mem c#other_ip allowed_to_git -> `NAT
> ...
>
> Is it possible to get the same functionality with the new rules using the prefix
> and the lists of addresses? It would also be useful to be able to block prefixes
> as well if that's possible.
There are two ways to get that working. The quick way is to get the src/dst IP addresses from the `packet` field instead, e.g.
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi,
>
> With the old format of rules for the mirage firewall I had the following setup:
>
> ...
> let git_addr = Ipaddr.V4.of_string_exn "192.168.1.101"
>
> let allowed_to_git = List.map Ipaddr.V4.of_string_exn
> [ "10.137.0.20" ;
> "10.137.0.21"
> ]
>
> let local_subnet = Ipaddr.Prefix.of_string_exn "192.168.0.0/16"
>
> let mgmt_local = Ipaddr.V4.of_string_exn "10.137.0.22"
>
> let from_client = function
> | { src = `Client c; dst = `External e } when Ipaddr.Prefix.mem e local_subnet
> && c#other_ip = mgmt_local -> `NAT
> | { src = `Client c; dst = `External e } when e = Ipaddr.V4 git_addr
> && List.mem c#other_ip allowed_to_git -> `NAT
> ...
>
> Is it possible to get the same functionality with the new rules using the prefix
> and the lists of addresses? It would also be useful to be able to block prefixes
> as well if that's possible.
let externals = [
"192.168.1.101", `Git;
]
...
| { src = `Client _;
dst = `External `Git;
packet = `IPv4 ({Ipv4_packet.src}, _)}
when List.mem src allowed_to_git -> `NAT
Another solution would be to edit firewall.ml to allow specifying subnets, not just hosts. That's a bit more work, though.
pr...@tutanota.de
Jul 8, 2019, 7:31:57 PM7/8/19
to Thomas Leonard, qubes-users
Many thanks for your help with this and for the project!
I went with the quick way for now.
I now have the following rules if anyone else finds them useful:
...
let clients = [
"10.137.0.22", `MgmtLocal;
]
let externals = [
"192.168.1.101", `Git;
]
let allowed_to_git = List.map Ipaddr.V4.of_string_exn
[ "10.137.0.20";
"10.137.0.21"
]
let local_subnet = Ipaddr.V4.Prefix.of_string_exn "192.168.0.0/16"
let from_client (...
match info with
| { src = `Client `MgmtLocal; dst = `External _; packet = `IPv4 ({Ipv4_packet.dst}, _) }
when Ipaddr.V4.Prefix.mem dst local_subnet -> `NAT
| {src = `Client _; dst = `External `Git; packet = `IPv4 ({Ipv4_packet.src}, _) }
when List.mem src allowed_to_git -> `NAT
...
This all compiled and seems to be working well.
Thanks again
-----BEGIN PGP SIGNATURE-----
iIgEARMKADAWIQRFNnsoPo7HH0XEMXc88cBGMbAIWAUCXSPR6RIccHJhZ29AdHV0
YW5vdGEuZGUACgkQPPHARjGwCFgMagD+I396tJHqYi94dCOT1hDanLHojr0NIJsz
nXqKCzr3CfgA/3N0UcEPddAyuW3TlXlui74CYr9MHQxTUCR3I1cl5yXx
=637A
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages