On 05/30/2016 10:27 PM, HW42 wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Chris Laprise:
Hi Marek,
While focusing on the vpn stuff[1] I may have stumbled upon a way to
make the forwarding chain much simpler.
Replace all the specific rules for downstream vm addresses with this:
FORWARD -i vif+ -d subnet.1 -j ACCEPT
FORWARD -i vif+ -d subnet.254 -j ACCEPT
So qubes-firewall would become simpler without the need to iterate
over vm addresses associated with a proxy vm. Its probably more
effective in general to focus on interfaces where possible, instead of
IPs (can't source IP addresses be spoofed?).
What do you think?
I think this doesn't work since you can have per VM firewall rules and
some may allow DNS and some not.
Source IP address spoofing should be prevented by the rules in the "raw"
table. (see 'iptables -vnL -t raw')
HW42
Ah, I thought there may be an obvious reason staring me in the face. :)
Chris
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/574D1428.9040609%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
