Sys-net with a 2 port NIC, how to allow/block interfaces?

[Essax]

I have laptop with a 2 port NIC. I would like to have 1 subset of appVMs that are connected to sys-net to use the eth0 interface and the other subset to use the eth1 interface.  It is not possible to assign 1 port into seperate sys-nets. I have tried that and only eth0 will function. Its also my understanding that eth0 is the interface used between qubes. ( is this wrong? ) If so would this prevent me from using iptables in firewall-vm1 to block traffic to the eth0 interface. That would block traffic to sys-net as well (I think).  The only solution I have come up with would be to go to dom0 GUI --> appvm1---> edit VM firewall rules ---> allow networks except  172.16.1.1/24 . This would not block traffic to the eth0 interface but it would prevent if from going any further than the 172.16.1.1 pfsense interface. Then I could do the same for firewall-vm0 and block it from the 192.168.1.1 pfsense interface.  Is there a better way to do this with iptables. 

pfsense-----192.168.1.1/24------------eth1--------firewall-vm1--------appvm1 

                                                         sys-net

pfsense-----172.16.1.1/24--------------eth0--------firewall-vm0--------VPN/proxyvm--------appvm0                                                     

Thanks in advance

Essax

Sent with ProtonMail Secure Email.

[Unman]

I'm not sure what you mean by "eth0 is the interface used between
qubes". Each qube is attached to its upstream proxy, its eth0
connecting to a vifX interface on the proxy.

You can examine the IP addresses allocated to the qubes using
'qvm-ls -n'.

On your proposal the downstream qubes would only be able to connect to
the networks attached to eth0 and eth1. This may be what you want. If
you want to connect to the net (or another network) via those connected
networks, there is an alternative.

Each firewall provides masquerade NAT to downstream qubes. This means
that you can simply do the following:
firewall-vm0 : eth0 - 10.137.10.10
firewall-vm1 : eth0 - 10.137.10.100

On sys-net-
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -o eth1 -j DROP
iptables -I FORWARD -s 10.137.10.100 -o eth1 -j ACCEPT
iptables -I FORWARD -s 10.137.10.10 -o eth0 -j ACCEPT

Those rules explicitly block and allow traffic. You could combine into
one rule but this makes it clearer what is happening and will allow you
to track counters as traffic flows.
I think it's neater than your proposal.
You'll also want to keep the rules allowing established traffic back
though sys-net.

You can put these rules in to rc.local, and qubes-firewall-user-script,
as set out here:
www.qubes-os.org/doc/firewall

unman

[Essax]

Hi Unman

     Thanks ! Thats is exactly what I wanted to accomplish. Although I could use a little clarification on a couple things.

You can examine the IP addresses allocated to the qubes using

"qvm-ls -n".

I ran this command and there are three ip addresses listed for most of the qubes. Going from left to right--->     I know the first one is the qube ip address.  The second ip address is only given to proxy-vms (What is this ip for?)  And the third  ip address is the up stream gateway ip??

Each firewall provides masquerade NAT to downstream qubes. This means

that you can simply do the following:

firewall-vm0 : eth0 - 10.137.10.10

firewall-vm1 : eth0 - 10.137.10.100

I'm sure you can guess my next question. Those two ip addresses would be the actual ip of the qubes. (sorry I have to be sure : )

Essax

Sent with ProtonMail Secure Email.

--

You received this message because you are subscribed to the Google Groups "qubes-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.

To post to this group, send email to qubes...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170706012459.nixgcf6n3mwqwobt%40thirdeyesecurity.org.

For more options, visit https://groups.google.com/d/optout.

[Unman]

On Thu, Jul 06, 2017 at 07:22:51PM -0400, Essax wrote:
> Hi Unman
> Thanks ! Thats is exactly what I wanted to accomplish. Although I could use a little clarification on a couple things.
>
> > You can examine the IP addresses allocated to the qubes using
> > "qvm-ls -n".
>
> I ran this command and there are three ip addresses listed for most of the qubes. Going from left to right---> I know the first one is the qube ip address. The second ip address is only given to proxy-vms (What is this ip for?) And the third ip address is the up stream gateway ip??
>
> > Each firewall provides masquerade NAT to downstream qubes. This means
> > that you can simply do the following:
> > firewall-vm0 : eth0 - 10.137.10.10
> > firewall-vm1 : eth0 - 10.137.10.100
>
> I'm sure you can guess my next question. Those two ip addresses would be the actual ip of the qubes. (sorry I have to be sure : )
> Essax

> Sent with [ProtonMail](https://protonmail.com) Secure Email.

So if you look at the top of the output you will see some helpful
headings.
The first address is that of eth0.
The second is the address used on vif interfaces to conenct downstream.
The third is the address of the upstream netvm, (and so will match the
2nd IP address of THAT qube)

In answer to your question, the IP adresses I have shown in example are
those of eth0 (1st in qvm-ls -n output) - all traffic going through the
firewall will appear on sys-net to derive from this address, unless you
are doing something clever.
So yes, on sys-net put rules acting on those IP addresses.

Hope it's all clear now

unman