Usability: "Firewall rules" setting will likely be missunderstood often

57 views
Skip to first unread message

mitte...@digitrace.de

unread,
Sep 20, 2016, 1:17:01 PM9/20/16
to qubes-users
Hey,

Firewall rules are set for a specific VM/Qube. From common understanding
people would probably think that those rules are active no matter what
happens outside of that very VM/Qube, but in fact it seems like those
rules are active if and only if there is an ProxyVM connected to that
VM/Qube.

Examples:

1) I can configure firewall rules for a ProxyVM, but they are not
actived, if that ProxyVM is connected to a NetVM (if I connect another
ProxyVM in between, this might probably work?!)

2) I can configure firewall rules for a AppVM, which will not be active
if that VM is connected

And: What happens if a ProxyVM does not implement the firewall service,
or if the firewall service crashes in the ProxyVM ?
I cannot find more information about the firewall mechanism than
"centrally managed in Dom0 and exposed to each Proxy VM through Xen
store" from
http://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html

Ideas:
a) A warning if an AppVM is (about to be) connected to a NetVM (instead
of a ProxyVM).

b) Do not allow "firewall rules" being set for ProxyVMs (I think
Proxy-Chains are rather unlikely being used?!)

c) A warning about DNS-Names in firewall rules

[c) A warning if a connected ProxyVM does not activate the firewall rules]

thank you,

Robert Mittendorf

--
M. Sc. Informatik Robert Mittendorf

DigiTrace GmbH - Kompetenz in IT-Forensik
Geschäftsführer: Alexander Sigel, Martin Wundram
Registergericht Köln, HR B 72919
USt-IdNr: DE278529699

Zollstockgürtel 59, 50969 Köln
Telefon: 0221-6 77 86 95-2
Website: www.DigiTrace.de
E-Mail: in...@DigiTrace.de

Haben Sie schon den DigiTrace-Newsletter abonniert?
http://www.digitrace.de/de/service/newsletter

DigiTrace ist Partner der Allianz für Cyber-Sicherheit
sowie Mitglied im nrw.units Netzwerk für IT-Sicherheit:
https://www.allianz-fuer-cybersicherheit.de
http://www.nrw-units.de/netzwerk/

Chris Laprise

unread,
Sep 20, 2016, 4:29:48 PM9/20/16
to mitte...@digitrace.de, qubes-users
This is a good candidate for filing an issue, but mainly for this
situation -- "A warning if an upstream VM does not implement the
firewall rules", which should include connecting to netvms.

IIRC, Qubes Manager used to grey-out the firewall tab for any vm that
was connected to a netvm. That doesn't appear to be the case now in R3.2.

As for idea 'b', I'd disagree with that. Chained proxyvms are probably
more common than you think.

Chris

Andrew David Wong

unread,
Sep 21, 2016, 6:07:25 AM9/21/16
to mitte...@digitrace.de, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-09-20 10:16, mitte...@digitrace.de wrote:
> Hey,
>
> Firewall rules are set for a specific VM/Qube. From common understanding people would probably think that those rules are active no matter what happens outside of that very VM/Qube, but in fact it seems like those rules are active if and only if there is an ProxyVM connected to that VM/Qube.
>
> Examples:
>
> 1) I can configure firewall rules for a ProxyVM, but they are not actived, if that ProxyVM is connected to a NetVM (if I connect another ProxyVM in between, this might probably work?!)
>

Correct. Normally, it wouldn't make sense to try to enforce
firewall rules for a FirewallVM. That's why the default
sys-firewall and sys-net work the way they do. However,
if you have a need for this, you're free to create your own
FirewallVMs and chain them together.

> 2) I can configure firewall rules for a AppVM, which will not be active if that VM is connected
>

Assuming you meant "unconnected," that's right. The reasoning
here is that the purpose of firewall rules is to govern network
traffic. But if a VM has no NetVM (i.e., has no network access
at all), then there's no network traffic to govern.

> And: What happens if a ProxyVM does not implement the firewall service, or if the firewall service crashes in the ProxyVM ?
> I cannot find more information about the firewall mechanism than "centrally managed in Dom0 and exposed to each Proxy VM through Xen store" from http://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html
>

Take a look at these pages:

https://www.qubes-os.org/doc/qubes-firewall/

https://www.qubes-os.org/doc/networking/

> Ideas:
> a) A warning if an AppVM is (about to be) connected to a NetVM (instead of a ProxyVM).
>
> b) Do not allow "firewall rules" being set for ProxyVMs (I think Proxy-Chains are rather unlikely being used?!)
>
> c) A warning about DNS-Names in firewall rules
>
> [c) A warning if a connected ProxyVM does not activate the firewall rules]

Thanks! This general suggestion has previously been made
and is currently being tracked here:

https://github.com/QubesOS/qubes-issues/issues/2003

Also related:

https://github.com/QubesOS/qubes-issues/issues/2248

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJX4lvEAAoJENtN07w5UDAwgzwQAMou4iQfl/BV90/VJp7FO5X0
nOiqR2Mqc1094tsCuX1Lysqbsal0jUhmbAVXuxqR3iFkZiXO3u8p3o8VD1TNrZQM
Ffd2XGOrIEjGosB2CZS1mj6D/vUv8kg33eqQbmREbVU3mCzoqYoIe4NXHi5NLcHC
IJYJOFO+WqFHXhk6AEHF0F+pL2p+Vaa1macJ5XiuXzhOuwlghNGYgObllLMo2jJe
uPea/S+vqVtf5VIYJ5rKm39i+qjZIsCIWRI7SxkrNQ0EgpY5tMRPPPyAb7RVNAQu
+OSgS3YDH40y0b+fVcWQofwGGYbZU5KXZE72F0VXpycdV0XgknEJ/AqNVLWJnPwH
G97gK90CkwHboW9F9GxS0FH+cOP6V4VkLh9SujO5adhaROio5c3hCjDJuFTeQTIg
8O088SAMGUIxmjnEpuxFCeQew4BSc23NDl2ru16Z81lMuIuqgj6TXim924E14syx
YhHjQL3iyQK34n2rLmqLcHr4GDa5sQzGRfclJx9rfkiAbtFACPywlka/zaq0Y85q
kgk5IDto7yL9Zsq7OD9clSlvtg6TNbI9fL19bC8l7iV+MJ5kiFGSNraWd+RMn9dd
tA7sVaqCKqNnteWVFjsITzwDIUwAeTCldPLtwzUk0Hkofi1ebWksMVrgg/SSLvtK
HpKs3MEub72u25IfgCVp
=CxIx
-----END PGP SIGNATURE-----

Andrew David Wong

unread,
Sep 21, 2016, 6:11:27 AM9/21/16
to mitte...@digitrace.de, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-09-21 03:07, Andrew David Wong wrote:
> On 2016-09-20 10:16, mitte...@digitrace.de wrote:
>> [...]
> Thanks! This general suggestion has previously been made
> and is currently being tracked here:
>
> https://github.com/QubesOS/qubes-issues/issues/2003
>

I've added your message as a comment on this issue:

https://github.com/QubesOS/qubes-issues/issues/2003#issuecomment-248568150

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJX4lzCAAoJENtN07w5UDAwhEsQAJmC34SCoubo1HUS8EzTpMGU
H0ksRALLGxGa1A3MYG2RprLZt/WYI+CbF+XvnDuGsHENuH1Kuq5CICP1NvZoyRgC
jL8ocmDF9Y6tRwQ+TvZojF/eJG02nnjKPiIKUDDLDEm8fk9Un23NScgWDuQSKXBv
qWmomiwFe7T1bWd9oF/ljbqNXALyHxkQvu38CgcNzK0JWmoR1RXaBxGv6i86oK9Z
2M08CZGMqz5I3fZ8HQpEjrL+2xGDL8jWCvV7pTTsgTh+WhMR0Weyoe1ND+1ACoRd
q4yKT06pnxbf1mvbQCLWwH5Xok6IF1CVaNUNbRXAFHX5GDAUNJ3qG61VbR3OYw+q
BGIEonmhEZRuosQuSlGn+5Zdkn7qdLgd0kr3H5s1+3Y+XBSqIMehj5X4dMHpf/Wl
GTGrifCbdERo0J/DFiPuwL4IYroYah7VceockisrgATJuLgQaOb8cJhHsvG5sGkj
8FDIHk4HmU5UI6DEMni/gOmMpkN8WfDA/SfWO2jJZKk37loAGxZdvOy3C6bYfYSz
SAne+wrpNSW0RBnnZsTOs+DhS1951IDwXm76CB/mXGeaDQUDsh+Rdptq+ZtVlnyA
uAer2BnF62S1bxP5DTVQksyyDT5e5eeJ5cAnM7alCFWXL9M3/jpfIvA5LG8EjAEi
3Qb8PGviHiekRKGXmOG0
=w9Su
-----END PGP SIGNATURE-----

Robert Mittendorf

unread,
Sep 21, 2016, 6:25:01 AM9/21/16
to qubes-users
Am 09/20/2016 um 10:29 PM schrieb Chris Laprise:

This is a good candidate for filing an issue, but mainly for this situation -- "A warning if an upstream VM does not implement the firewall rules", which should include connecting to netvms.

IIRC, Qubes Manager used to grey-out the firewall tab for any vm that was connected to a netvm. That doesn't appear to be the case now in R3.2.

As for idea 'b', I'd disagree with that. Chained proxyvms are probably more common than you think.

Chris

Hey Chris,

sorry for my first answer directly to you - I expected a mailing list to set/replace the "answer to" field

I still use 3.1! firewall rules are disabled for NetVMs, but not dynamically for VMs that are not connected to a proxy VM.

I'm curious - do you have an example for a usefull local proxy(VM) chain?


Am 09/21/2016 um 12:07 PM schrieb Andrew David Wong
Normally, it wouldn't make sense to try to enforce
firewall rules for a FirewallVM. That's why the default
sys-firewall and sys-net work the way they do. However,
if you have a need for this, you're free to create your own
FirewallVMs and chain them together.
I agree - that is why my idea was to disable firewall rules for proxy VMs.
2) I can configure firewall rules for a AppVM, which will not be active if that VM is connected
Assuming you meant "unconnected," that's right.
Actually I meant connected to a NetVM and thereby the internet. Sorry.

And: What happens if a ProxyVM does not implement the firewall service, or if the firewall service crashes in the ProxyVM ?
I cannot find more information about the firewall mechanism than "centrally managed in Dom0 and exposed to each Proxy VM through Xen store" from http://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html
Take a look at these pages:

https://www.qubes-os.org/doc/qubes-firewall/

https://www.qubes-os.org/doc/networking/
I looked at the firewall page. The networking pages seems to miss exactly the information I'm looking for in the "Firewall and Proxy VMs" section - like how the information from xen store is loaded within the proxyVM and what happens, if something failes (e.g. Is there a risk that proxying works, but firewall rules are ignored ?)

Chris Laprise

unread,
Sep 22, 2016, 6:24:05 AM9/22/16
to Robert Mittendorf, qubes-users
On 09/21/2016 06:24 AM, Robert Mittendorf wrote:
> Am 09/20/2016 um 10:29 PM schrieb Chris Laprise:
>>
>> This is a good candidate for filing an issue, but mainly for this
>> situation -- "A warning if an upstream VM does not implement the
>> firewall rules", which should include connecting to netvms.
>>
>> IIRC, Qubes Manager used to grey-out the firewall tab for any vm that
>> was connected to a netvm. That doesn't appear to be the case now in
>> R3.2.
>>
>> As for idea 'b', I'd disagree with that. Chained proxyvms are
>> probably more common than you think.
>>
>> Chris
>>
> Hey Chris,
>
> sorry for my first answer directly to you - I expected a mailing list
> to set/replace the "answer to" field
>
> I still use 3.1! firewall rules are disabled for NetVMs, but not
> dynamically for VMs that are not connected to a proxy VM.
>
> I'm curious - do you have an example for a usefull local proxy(VM) chain?

Yes. For example you can connect a Whonix Tor gateway to a VPN tunnel
(or vice-versa). Some people will even add a dedicated firewall to that
chain.

Also, if you want to apply some firewall rules easily to many vms which
are using your regular firewall vm, you can put another proxy vm
upstream from the firewall then add the rules to the firewall.


>
>
> Am 09/21/2016 um 12:07 PM schrieb Andrew David Wong
>> Normally, it wouldn't make sense to try to enforce
>> firewall rules for a FirewallVM. That's why the default
>> sys-firewall and sys-net work the way they do. However,
>> if you have a need for this, you're free to create your own
>> FirewallVMs and chain them together.
> I agree - that is why my idea was to disable firewall rules for proxy
> VMs.
>>> 2) I can configure firewall rules for a AppVM, which will not be active if that VM is connected
>> Assuming you meant "unconnected," that's right.
> Actually I meant connected to a NetVM and thereby the internet. Sorry.
>>> And: What happens if a ProxyVM does not implement the firewall service, or if the firewall service crashes in the ProxyVM ?
>>> I cannot find more information about the firewall mechanism than "centrally managed in Dom0 and exposed to each Proxy VM through Xen store" fromhttp://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html
>> Take a look at these pages:
>>
>> https://www.qubes-os.org/doc/qubes-firewall/
>>
>> https://www.qubes-os.org/doc/networking/
> I looked at the firewall page. The networking pages seems to miss
> exactly the information I'm looking for in the "Firewall and Proxy
> VMs" section - like how the information from xen store is loaded
> within the proxyVM and what happens, if something failes (e.g. Is
> there a risk that proxying works, but firewall rules are ignored ?)

There's no reliable & safe way to verify the internal proxyvm state like
this. Usually, proxyvms are assigned roles of trust, and trust pertains
not only to it being free of malware... but also its ability to function
correctly in general. Also, proxyvms such as sys-firewall are relatively
simple so there is little that can break.

Chris
Reply all
Reply to author
Forward
0 new messages