On Wed, Mar 29, 2017 at 07:12:43PM +0000, 'David Shleifman' via qubes-devel wrote: > Hi, > > > I am looking for clarifications pertaining to setting firewall rules via > Qubes VM manager GUI. > > A validating caching name resolver is running in one of the appVMs (called > "sys-dns"): > > _ sys-net VM <==> sys-firewall VM > _ | > _ |<==> sys-dns > (appVM) > _ |<==> AppVM-1 > _ |<==> AppVM-2 > _ . . . > _ |<==> AppVM-N > > > Each AppVM has "Allow DNS queries" checkbox accessible via "Qubes VM manager > : VM : Edit VM Firewall rules" menu. When I put a check mark into this > checkbox, the system updates the iptables in the sys-firewall VM, so that > packets with destination port 53 are forwarded to sys-firewall eth0 > interface (IP=10.137.1.8). So far, so good.
No, this isnt quite right - packets are allowed to the vif interface of sys-net. Also, if you look in the NAT table, you'll see that DNS traffic is subject to DNAT to that interface. > > It appears, that the more optimal way is to allow sys-dns name resolver to > respond to such DNS queries. > > > Questions > --------- > > 1) How to tune Qubes OS so that putting a check mark into the said checkbox > causes the packets with destination port 53 to be forwarded to the sys-dns VM > (instead of the > sys-firewall eth0 interface)? > I'm not quite clear on your diagram, since it doesnt seem to show where sys-dns is connected. If it's connected to sys-net, then the answer is simple: You will have to enable interVM traffic - this is explained in the docs: allow DNS traffic between sys-firewall and sys-dns.. As to this question, the easiest thing to do would be to change the DNAT rules on sys-firewall to push DNS traffic to sys-dns. That way the checkbox continues to function as expected, but the DNAT ensures that the traffic goes to sys-dns. If you want to do this you will have to make changes in rc.local and qubes-user-firewall-script in /rw/config - again, well covered in the docs. (www.qubes-os.org/doc/firewall) > 2) Do the following checkboxes > _ a) "Allow network access except ..." > _ b) "Allow ICMP traffic" > _ c) "Allow DNS queries" > overlap? Meaning that if a) is the only enabled one out of 3, then both > "ICMP traffic" and "DNS queries" are allowed. > Yes, exactly so. But there is an explicit rule blocking traffic to 8082(proxy port), which is removed if you select THAT checkbox. The other checkboxes add ALLOW rules which are redundant if you already have (a) selected. > > 3) What are the typical use cases for disabling "ICMP traffic"? When it is > safe to disable "ICMP traffic" for a specific AppVM? It's always "safe", but ICMP provides many control messages about the network. Without it, network traffic will be less efficient. That's a tradeoff you may choose to make. > > Thank you, > - David unman -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20170331001636.GB18227%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
