On March 30, 2017 8:16 PM Unman wrote:
> On Wed, Mar 29, 2017 at 07:12:43PM +0000, 'David Shleifman' via qubes-devel > wrote: >> Hi, >> >> I am looking for clarifications pertaining to setting firewall rules via >> Qubes VM manager GUI. >> >> A validating caching name resolver is running in one of the appVMs (called >> "sys-dns") >> Each AppVM has "Allow DNS queries" checkbox accessible via "Qubes VM >> manager : VM : Edit VM >> Firewall rules" menu. When I put a check mark into this checkbox, the >> system updates the iptables >> in the sys-firewall VM, so that packets with destination port 53 are >> forwarded to sys-firewall >> eth0 interface (IP=10.137.1.8). So far, so good. > No, this isnt quite right - packets are allowed to the vif interface of > sys-net. My original description is consistent with yours. In particular, the interface has two sides: - one side appears in sys-net VM as vif - the other side appears in sys-firewall VM as eth0 (IP=10.137.1.8) > Also, if you look in the NAT table, you'll see that DNS traffic is> subject > to DNAT to that interface. That is right. DNAT in sys-firewall changes the destination address so that the packets are routed to sys-net through eth0 (IP=10.137.1.8). >> >> It appears, that the more optimal way is to allow sys-dns name resolver to >> respond >> to such DNS queries. >> > I'm not quite clear on your diagram, since it doesn't seem to show where > sys-dns is connected. > If it's connected to sys-net, then the answer is simple: > You will have to enable interVM traffic - this is explained in the docs: > allow DNS traffic between sys-firewall and sys-dns. Proposal A ========== The documentation appears to be good enough to follow. As for the interVMtraffic, do you mean networking between two qubes, i.e. https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes? Here is a diagram for your proposal: _ sys-net VM <====> sys-firewall VM _ | | _ |<==> sys-dns (appVM) |<==> AppVM-1 _ |<==> AppVM-2 _ . . . _ |<==> AppVM-N One of the documented steps is to set the rule in sys-net: _ sudo iptables -I FORWARD 2 -s <IP address of sys-firewall> -d <IP address of sys-dns> -j ACCEPT I guess, _ <IP address of sys-firewall> should be replaced by _ <IP addresses of AppVMs connected to sys_firewall> which yields "10.137.2.0/24". It looks to me that such proposal should work seamlessly. Do these details match more or less with your proposal? Proposal B ========== I am afraid that if sys-net gets compromised, then its iptables may be altered allowing the DNS queries (originated in AppVMs) to bypass the validating caching name resolver running in sys-dns. In this case, the responces will come back to AppVMs without being validated. That represents certain risk. To reduce this risk, I connected sys-dns to sys-firewall. Here is the diagram (copied from my original post): _ sys-net VM <==> sys-firewall VM _ | _ |<==> sys-dns (appVM) _ |<==> AppVM-1 _ |<==> AppVM-2 _ . . . _ |<==> AppVM-N Does this move reduce the mentioned risk? >> Questions >> --------- >> 1) How to tune Qubes OS so that putting a check mark into the said >> checkbox causes the packets with destination port 53 to be forwarded >> to the sys-dns VM (instead of the sys-firewall eth0 interface)? > As to this question, the easiest thing to do would be to change the > DNAT rules on sys-firewall to push DNS traffic to sys-dns. That way the > checkbox continues to function as expected, but the DNAT ensures that > the traffic goes to sys-dns. Do you have in mind "proposal A" or "proposal B" or both? > If you want to do this you will have to make changes in rc.local and > qubes-user-firewall-script in /rw/config - again, well covered in the > docs. (www.qubes-os.org/doc/firewall) That is correct. The documentation is good enough to follow. Currently, there are two DNAT rules in PR-QBS chain which instruct to replace destination address 10.137.2.1 by 10.137.1.1 for packets destined to the port 53. I will add a script to qubes-user-firewall-script which will set the replacement address in these two rules to the IP of sys-dns (instead of 10.137.1.1). Thank you for pointing me to the right direction. - David -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/2051353116.9477460.1490983328033%40mail.yahoo.com. For more options, visit https://groups.google.com/d/optout.
