Log qubes firewall packets

50 views
Skip to first unread message

Frozentime345

unread,
Apr 21, 2019, 3:13:27 PM4/21/19
to qubes...@googlegroups.com
Wondering how to log packets blocked and accepted by qubes firewall for
specific vm or all vms if thats the only option? Couldn't find anything
in website or google or qvm-firewall

Zrubi

unread,
Apr 21, 2019, 4:06:48 PM4/21/19
to Frozentime345, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Unfortunately, Qubes firewall was not designed for such use case.

If you are familiar with the iptables (and nftables too), you may be
able to workraound this limitation. But it really not trivial to achieve
.

- --
Zrubi
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAly8zUUACgkQVjGlenYH
FQ3asQ//eFsUE/kigN5pFpkEYiQKxh5XGMtAaAtcdA4IhaPLqlnG+VkFZz0fTB3n
Jv1sO6LYunL2DPSfOInUELHOu8ZiCMEIB4+SFqJszjCJADGDSBX7iEd5TyNDNU23
bV3hKU/6LI+bsDqbuwzteg/CgR8WxAtGhle/G/OOoQ3H2ViYxLOPudRLe0Pda12e
zx1Ra7u0QMYXTO+vQWbvKcnlxkL41ataK+n1KkKYi+ToGfrmV5Kho0yg83H2ETXO
+4xTcb5ZUtlmjgb0kP7Q14n5Qv5nLokzOCvAajGNDq6/IQQND0prD5GjIOztiCaB
ugOWqGdWCVxJKyjoxF0YpzOrXZHzz1FsAH4/6zEhN8e8VvTf1moWCaAf2yOg4Qca
wUKD78gBYtbO92eB5OEYkaKBE7GXOPOjKjHZQUBFFe8Z+BuOK55ZcEEwID8S+w3K
QEaud/l5LetMK9GXrhZ4ti6vWEKLLPa9tDDOzUW7Qe+5+Epk96uj0NH/oM14Afmn
TBGsw0YMCRuugfDrfpZOu+MMKxEt9zS3bLy6FBBIe7h84YV09Zl6mBzf3gWPqOSj
cZpBlJVQaqY3P1A3yYhWyJ7eOdN+e36uV5a+PmBVm3mjMZcKkK4niLwDALGam/Zc
U4g7XPVLJyssKFMd2FIL1d7QomC1gtI2w8jBbRzLQ4Xj7fsVyt0=
=4NxJ
-----END PGP SIGNATURE-----

Frozentime345

unread,
Apr 21, 2019, 4:46:40 PM4/21/19
to Zrubi, qubes...@googlegroups.com
Okay thanks, should I post this in issues as a feature request?

tom...@gmail.com

unread,
Apr 21, 2019, 6:32:32 PM4/21/19
to qubes-users
> >> Wondering how to log packets blocked and accepted by qubes firewall
> >> for specific vm or all vms if thats the only option? Couldn't find
> >> anything in website or google or qvm-firewall

> > Unfortunately, Qubes firewall was not designed for such use case.
> >
> > If you are familiar with the iptables (and nftables too), you may be
> > able to workraound this limitation. But it really not trivial to achieve

So, logging is done via -j LOG target, like this (with same rules that would match actual action):
iptables -t nat -A SSH2 -j LOG --log-prefix "DNAT SSH2-tunnel: "
iptables -t nat -A SSH2 -j DNAT -p tcp --to 10.137.2.11:22

For blocked packages you should add log entry before DROP statements. You should review all chains and tables. Add your changes to sys-firewall:/rw/config/qubes-firewall-user-script. Be careful when inserting/adding rules, as they qubes dynamically changes the tables.

By default LOG uses systemd log but it is configurable.
Your question is not related to Qubes, but is general iptables-question.

Reply all
Reply to author
Forward
0 new messages