-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, Apr 19, 2018 at 08:29:17PM -0400, Chris Laprise wrote: > A departure from the R3.x behavior that I think may compromise network > security is that in R4.0 proxyVMs /proc/sys/net/ipv4/ip_forward is '1' while > qubes-firewall is starting and executing firewall scripts. > > Unless there is some detail that makes ip_forward moot, I think there should > be a patch (ex: /etc/sysctl.conf) to have the initial VM forwarding state at > '0' until qubes-firewall finishes initializing.
There is already service ordering that make qubes-firewall starting before qubes-network (which enables ip_forward). The first thing that qubes-firewall service does is insert default DROP rule into appropriate forward table. But indeed there is nothing that guarantee that ip_forward is enabled only after calling user script. Also note that thanks to atomic updates (nftables, iptables-restore), ip forwarding is no longer disabled for the time rules are reloaded. But also thanks to using separate chains, user rules don't need to be re-created each time. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlrZPiMACgkQ24/THMrX 1yzr6Af/ZyqVFVV2aoEDvLsoPI51RaXaWeNEfVKpQ/A6dkENtxgGTCkRWGSIl4v3 VMjLPMFCrULNlQhlGcYOtcRBCWW25bgHvvQPRR+TnL/XXmZGN/xmYc+qOKJltUDp ht4u8sJdybf/vXs8jdnxjv0S/JpXgjgBLF1XaNpLWdg7cVC7RMYIOjwieXkkDuIM wk/DINKAQLO2+4ppqpcUJ3iiBOLEzZeaaRjsMhTpjazewRYeFXkP2c2kC8rO4dJD EakFcDYxDDVemW4vAbpAe9dw/iuJYIFCEet30FWv0sg0JmofY4UokHxt09fj3Zlp iOnBn3O2JuljnJLUmuGXUtDZkMUMog== =6KFc -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20180420011058.GG27518%40mail-itl. For more options, visit https://groups.google.com/d/optout.
