On 04/19/2018 09:10 PM, Marek Marczykowski-Górecki wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Thu, Apr 19, 2018 at 08:29:17PM -0400, Chris Laprise wrote:
A departure from the R3.x behavior that I think may compromise network
security is that in R4.0 proxyVMs /proc/sys/net/ipv4/ip_forward is '1' while
qubes-firewall is starting and executing firewall scripts.
Unless there is some detail that makes ip_forward moot, I think there should
be a patch (ex: /etc/sysctl.conf) to have the initial VM forwarding state at
'0' until qubes-firewall finishes initializing.
There is already service ordering that make qubes-firewall starting
before qubes-network (which enables ip_forward). The first thing that
qubes-firewall service does is insert default DROP rule into appropriate
forward table. But indeed there is nothing that guarantee that
ip_forward is enabled only after calling user script.
If qubes-network enables ip_forward later, its likely that something
else prior to that (and qubes-firewall) is also enabling it.
A qubes-firewall.d script of 'cat /proc/sys/net/ipv4/ip_forward
>/somefile' shows the value == 1.
OTOH, if eth0 interface is not up at the point (not sure on that point)
then it may not matter.
Also note that thanks to atomic updates (nftables, iptables-restore), ip
forwarding is no longer disabled for the time rules are reloaded. But
also thanks to using separate chains, user rules don't need to be
re-created each time.
--
Chris Laprise, [email protected]
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/a92993f0-caae-98cf-f188-76f966a4cc11%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
