-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, Apr 19, 2018 at 11:00:58PM -0400, Chris Laprise wrote: > On 04/19/2018 10:59 PM, Chris Laprise wrote: > > On 04/19/2018 10:54 PM, Chris Laprise wrote: > > > On 04/19/2018 09:10 PM, Marek Marczykowski-Górecki wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > Hash: SHA256 > > > > > > > > On Thu, Apr 19, 2018 at 08:29:17PM -0400, Chris Laprise wrote: > > > > > A departure from the R3.x behavior that I think may compromise network > > > > > security is that in R4.0 proxyVMs > > > > > /proc/sys/net/ipv4/ip_forward is '1' while > > > > > qubes-firewall is starting and executing firewall scripts. > > > > > > > > > > Unless there is some detail that makes ip_forward moot, I > > > > > think there should > > > > > be a patch (ex: /etc/sysctl.conf) to have the initial VM > > > > > forwarding state at > > > > > '0' until qubes-firewall finishes initializing. > > > > > > > > There is already service ordering that make qubes-firewall starting > > > > before qubes-network (which enables ip_forward). The first thing that > > > > qubes-firewall service does is insert default DROP rule into appropriate > > > > forward table. But indeed there is nothing that guarantee that > > > > ip_forward is enabled only after calling user script.
Implemented: https://github.com/QubesOS/qubes-core-agent-linux/commit/f6dc28106b6153aa0c3b302afe7872e8b3820104 > > > If qubes-network enables ip_forward later, its likely that something > > > else prior to that (and qubes-firewall) is also enabling it. > > > > > > A qubes-firewall.d script of 'cat /proc/sys/net/ipv4/ip_forward > > > >/somefile' shows the value == 1. > > > > > > OTOH, if eth0 interface is not up at the point (not sure on that > > > point) then it may not matter. > > > > BTW another test from qubes-firewall.d shows that eth0 is 'UP' at that > > time. > > Clarification: eth0 is UP, but not vif+. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlrZ/uMACgkQ24/THMrX 1ywolgf+PXkhJ1rGjXbN9oYbQ4P3Vu9J68xBDCPiOxZLi5kH20P8plOjz/d/VAAx AhkI+dV6+xUIZMcsOfYoHlS6kRrq47umPAn5LnS5+Sp/hJtt7tDKqvxUzgMEbUy7 Zn+nWElnwMtgB/yN7Ogs+6Flt7RM7BJ6lsRvMIhQA0B9aXbZfxPtWELmnSbwbBj5 g9QXjmSD9lAPnx5uljX7qXE2w57UUS9xNa16r3k3SkzTGI3tNkH0D99JrbziXzt9 c7hAbeBjRoJbeRsBZO4+5qFMa5F7qVH6kd9oifn/dPnHkvWFhtoDFy1it60HL4yO w783t7lePLyMJL5AogT3kAFbXs5KiQ== =Ayv3 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20180420145323.GI27518%40mail-itl. For more options, visit https://groups.google.com/d/optout.
