-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Mon, Jun 03, 2024 at 08:08:22AM -0000, qubist wrote: > On Sun, 2 Jun 2024 20:34:33 +0200 Marek Marczykowski-Górecki wrote: > > > sys-net is [...] the sandbox that may become compromised due to > > direct network access. > > Exactly why I ask: what value has a firewall in sys-net at all? If we > assume it can be compromised at any time, how are we protecting > anything through antispoofing its uplink interfaces?
Not much. But the same firewall applies to sys-firewall, VPN qubes and some other configurations. And in those cases it matters a bit more. > > It's the role of sys-firewall (among other things) to protect > > other qubes from outside network, including potentially compromised > > sys-net. That's why anti-spoofing rules are important on eth0 too. > > But you also say: > > On Thu, 23 May 2024 15:53:39 +0200 Marek Marczykowski-Górecki wrote: > > > Well, this is too broad, as for example sys-net is allowed to use its > > own IP to send packets down the network (like to sys-firewall or other > > qubes). > > Do you mean (conntrack) established,related? It may cover some of those cases, yes. But I'm not sure if all (check for example if traceroute would still work). But also, that sentence was about the long list of subnets that shouldn't appear on the internet, but in most cases you connect to LAN first, and those would be filtered out too. Generally, if you have a link to some network (or even a single host), it is wrong to filter out its source IP as spoofed one, because it isn't spoofed. > > It would also break any communication to your LAN (like, using > > network printer in your LAN)... > > Without a clear definition of what traffic is allowed (whitelist), I > don't see how this can be solved. Simply allowing e.g. 10.137.x.x is > also broad. Antispoofing rules should drop _only_ spoofed traffic - packets that use source IP that doesn't belong to its actual source. Antispoofing rules are not a place for other policy decisions. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmZdhGYACgkQ24/THMrX 1yxF8gf+JqSFRbQtKg5wCgvduEelCO04duzdjZ5rHycbzwqZU/2aG1ywSpjbIyuH sIPhPRRvOuvTgJZ4P3Z5bWuOmxs+RG7W873v+KTuw8c3RRHrPHN0fGpM6oock428 bImO/UIC8RzIt7/4QnCfkZ+7n9kdEVE8EY8UxwAK1npCTKtvKdMJ9zTpcq+p8ZNr GzLEwGovVmrKuH8CWnBZw9wEjUwCio7RzAe33oLRT+wAB+wysICYwBi/mhAO1zHB F6o9AO33hG8Kg+l+sWeaJvlJGpsZ/8yyTxfj/F9iuL/dWMXciDGfD96ODTVB0Agz klovSFB9matrY0DGr+unXi+Lsa/msg== =h3oT -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/Zl2EZrbLlJU5UvMz%40mail-itl.
