Default firewall configuration for dns/icmp of VMs with restricted access
45 views
Skip to first unread message
lik...@gmx.de
Dec 19, 2021, 6:36:38 AM12/19/21
to qubes...@googlegroups.com
Hi!
In the default firewall setup if a VM is restricted via UI using "Limit outgoing Internet connections to ..." 2 rules are added before "drop all packages":
[prompt]$ qvm-firewall vm
NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT
0 accept www.qubes.org tcp 443 - - - -
1 accept - - - dns - - -
2 accept - icmp - - - - -
Namely:
accept dns
and
accept icmp
1. Is my assumption correct that by that it's possible to exfiltrate data to any destination server using dns/icmp?
2. What are practical solutions to mitigate that?
a) delete "accept dns/icmp" rules in the firewall and add the corresponding IPs to the restricted domains/ips in /etc/hosts of the vm?
b) using pihole as dns resolver and restrict the access there?
c) more useful solutions?
Thanks, P
In the default firewall setup if a VM is restricted via UI using "Limit outgoing Internet connections to ..." 2 rules are added before "drop all packages":
[prompt]$ qvm-firewall vm
NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT
0 accept www.qubes.org tcp 443 - - - -
1 accept - - - dns - - -
2 accept - icmp - - - - -
Namely:
accept dns
and
accept icmp
1. Is my assumption correct that by that it's possible to exfiltrate data to any destination server using dns/icmp?
2. What are practical solutions to mitigate that?
a) delete "accept dns/icmp" rules in the firewall and add the corresponding IPs to the restricted domains/ips in /etc/hosts of the vm?
b) using pihole as dns resolver and restrict the access there?
c) more useful solutions?
Thanks, P
awokd
Dec 19, 2021, 4:10:20 PM12/19/21
to qubes...@googlegroups.com
lik...@gmx.de:
> accept dns
> and
> accept icmp
>
> 1. Is my assumption correct that by that it's possible to exfiltrate data to any destination server using dns/icmp?
Yes.
> 2. What are practical solutions to mitigate that?
> a) delete "accept dns/icmp" rules in the firewall and add the corresponding IPs to the restricted domains/ips in /etc/hosts of the vm?
This is the simplest approach and what I do on a couple AppVMs. You'll
have to use the qvm-firewall command to delete them.
--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots
> accept dns
> and
> accept icmp
>
> 1. Is my assumption correct that by that it's possible to exfiltrate data to any destination server using dns/icmp?
> 2. What are practical solutions to mitigate that?
> a) delete "accept dns/icmp" rules in the firewall and add the corresponding IPs to the restricted domains/ips in /etc/hosts of the vm?
have to use the qvm-firewall command to delete them.
--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots
David Hobach
Dec 20, 2021, 8:02:11 AM12/20/21
to qubes...@googlegroups.com
Btw I still consider this hideous firewall GUI an anti-feature and would wholeheartedly support anyone complaining about it at qubes-issues.
lik...@gmx.de
Dec 21, 2021, 3:33:11 PM12/21/21
to qubes...@googlegroups.com
On 12/20/21 13:02, David Hobach wrote:
> Btw I still consider this hideous firewall GUI an anti-feature and would wholeheartedly support anyone complaining about it at qubes-issues.
>
What else is wrong with the firewall GUI besides the fact of the both hidden dns/icmp specialities?
Reply all
Reply to author
Forward
0 new messages