Some notes about a VPN firewall solution...
Objectives:
* Prevent all communication between downstream vms and upstream clearnet
(eth0) when the vpn client fails or the link goes down.
* Implement vpn link as a dedicated vm, transparent to downstream vms.
* Remain compatible with conventional server names for the vpn server.
* Prevent accidental communication from non-vpn programs in vpn vm to
anywhere.
* Prevent attempted communication with non-vpn programs in the vpn vm
(appears already enforced by Qubes firewall).
Roles:
* The vpn vm is generally trusted. It is assumed its programs won't try
to impersonate openvpn (send data via port 1194), for example.
* Everything outside the vpn vm and vpn server is essentially untrusted
(from the vpn client's point of view): This means the sys-net, local
router, ISP and downstream vms are potential threats. (This doesn't
affect the users POV of whether individual appvms are trusted.)
* Everything that is downstream from vpn vm communicates through the vpn
tunnel only.
* The purpose of the programs in the vpn vm is to support the creation
of the vpn link. Their communication domain is either null or clearnet
only; they should not send packets through the vpn tunnel and
potentially published.
Proposed rules for /rw/config/qubes-firewall-user-script:
---
-I FORWARD 1 -o eth0 -j DROP
-I FORWARD 2 -i eth0 -j DROP
-P OUTPUT DROP
-F OUTPUT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p udp -o eth0 --dport 1194 -j ACCEPT
-A OUTPUT -p tcp -o eth0 --dport 1194 -j ACCEPT
-A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
---
This works well with the '/redirect-gateway def1/' openvpn directive,
which was the default for my vpn service.
I left out the "OUTPUT -o tun0 -j ACCEPT" rule as this allows local (vpn
vm) programs to communicate over the tunnel.
One thing still bothers me, the ACCEPT for any icmp INPUT (from Qubes
firewall default). I think this should be changed to accept icmp only
from eth0.
Chris
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/574844E5.1050207%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
