-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thu, May 30, 2024 at 05:20:04PM -0000, qubist wrote: > On Wed, 29 May 2024 14:51:36 -0400 Demi Marie Obenour wrote: > > > Qubes OS only knows how to manage Xen interfaces. It does not (and, > > realistically, cannot) know how to manage every kind of network > > interface imaginable. > > In such case, it cannot do this too: > > > [...] the network interface must not be brought up at all, to prevent > > a spoofing vulnerability. > > as it is not up to Qubes to do it, right?
Correct. > Or how will it bring an interface up/down if it cannot control it? > > As for sys-net and its self-managed (uplink) interfaces: this means any > such interface can have its group changed, thus circumvent the > group-based antispoofing chain you suggest. Actually, sys-net can > simply 'sudo nft flush ruleset' which is extremely easy with default > passwordless root, so does it really matter what firewall rules we > attempt to enforce? > I don't know if I am overthinking it, but for all that to work > properly, an external control mechanism is necessary (another qube). I > don't know if there is ARP antispoofing mechanism either. > > I hope you can clarify. Qubes OS's current firewall treats any interface in group 2 as if it were a Xen vif* interface, and prevents downstream spoofing by any interface _not_ in group 2. Common network management packages assign all devices to group 0 by default, so this works fine. Being able to assign non-managed devices to group 2 is intentional, not a bug. - -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmZYygkACgkQsoi1X/+c IsGSSw/+P7nD30ot5cHsZPgKz5DR6+zX+YYTMjZm1k5hC3sCOKM7AmyyaIxCk4OV /79JA1OOu/J0IC7vzlrc3o92Ix0/3segH4Ag6XbtCnLAxgJX8K6t5wgg3ySCxmMt mIRlhUXCTL3t36H7l2wjpLGcq4iMqOUw0mcdudmgEW0YwDkR7GoI1sOZfr4f/kle QQlnLkvjHojL/Fhit41XyQCwEarHlAVXAZ3ACWMlzBwfwxaaXQ4KM4QZTUnEkRDM MX6zriV8cOnv5ZnQFgBZ04u7UfQJN/XvpCnp9CKqAJDg9j1QDQiBnUL4rgoqJgDr vzBysAAgdReB4WoTnHV5DWfnp4GiQgI+Vx4NXOOqMS5LIyIG2cMMkoZVBRP00CWy 0q0ToCHQCpsReQo0xzUvNPnYJPBoSrTmi5JJai4r3Gd9g+W7jKtJ/yrPAJ+VLRMY cKSRQ8q2rUJhCiwbvqsZHa71o+LOYPQapJ0fvpd45HNJI6WgIVTMpIfspkaVVanM qDLDyxLIkmWABtWjrMjFaaSb7KlTii7RaM+9wPH6VFlUkYrPADzb7O0+a92xVODj ezrsgzafQyphacv+rdzIMQJt+msLKYhismuv/75RSndFoGBXT80T1qi3fyYqlSZT Gk+vMrN0hgdM7OYHzLsaTDo4fduEA48L9LNbT9fJHKhjsLoamBo= =kHQG -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/ZljKCTrG1RvlqYCs%40itl-email.
