-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Chris Laprise: > Hi Marek, > > While focusing on the vpn stuff[1] I may have stumbled upon a way to > make the forwarding chain much simpler. > > Replace all the specific rules for downstream vm addresses with this: > > FORWARD -i vif+ -d subnet.1 -j ACCEPT > FORWARD -i vif+ -d subnet.254 -j ACCEPT > > So qubes-firewall would become simpler without the need to iterate > over vm addresses associated with a proxy vm. Its probably more > effective in general to focus on interfaces where possible, instead of > IPs (can't source IP addresses be spoofed?). > > What do you think?
I think this doesn't work since you can have per VM firewall rules and some may allow DNS and some not. Source IP address spoofing should be prevented by the rules in the "raw" table. (see 'iptables -vnL -t raw') HW42 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXTPajAAoJEOSsySeKZGgW0NgP/3gxFePLI0sQqS2ybue6drbH Z5ybSaSxJYvqCtQpycIpiSPB0UwiFD/sNNdGm6lrDacOa5y1UnXOzDMFGyQyv0RP wpMBE1HCBxOn/YCkK/BxXB0Y9Jl20TCOs6i/kDGkvi8eSRW54W6cMUwUk6bzWSx2 PlijjN7Z4ZSjk+tkoJE8HCwgYtmigE8z+0hfk/jvkMBmvRjE+NvoQiEcj7WiavGl yXqr2PLXf+E3JB1wL/Z6hLNBkGmOj4LS26Dj+yv+AACi5UQIP9Foi5GiOGpR44BV ymJQeHNwWpUixSgHnj3v5pA/Zeiz+627i5N3BHCZmOsV/dxlFhgfTbYyfyZO92UH tZawNpNmaoNuSvjU+BpZGcCty5NoMbV8f7cxRrMx7tcQJtk37eYx1MzHCYmW1ZdV P/ou+8NpSK5DE+EZDn0kQoMuyEgs03t+7FXDQLHX48JRspDZSvSo3gSCbnconVqh uZoYnDC2UUVlnx4azaJYRWFPaFkFdzPD6sQqOb2JzDGd8z+lRpFliSntrbRjKXUs dp6MdY9xszlY19jxI7Sq62ymqh/fy8gHYEf1kw+oIhftey7oHpL4R1bTzI1vb6xw iUB8zMjYSbB3CSeR2g2KjGURki8xRmmhypyz5+uDIBlhEQ5QPirNED/gTcYd0bFL 13aEAWpEHRzpxQj82N33 =77zz -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/29584571-582f-06fc-1cb8-d1d3743683be%40ipsumj.de. For more options, visit https://groups.google.com/d/optout.
