Re: [qubes-devel] Re: Bug in qubes-firewall.service could result in VPN leak

[Demi Marie Obenour]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, Mar 25, 2025 at 09:57:01AM +0000, Qubes OS Development Mailing List 
wrote:
> > I don't know if it is not possible (or necessary) to have it
> > Before=network-pre.target
> 
> > Marek simply explained what I was hoping you would understand from the
> > systemd sequencing I showed.
> 
> You didn't know yourself but at the same time you were hoping I would 
> understand from your explanation? Drop the ego, you've already looked a fool 
> in front of your boss.
> 
> There's still a leak, just not from the AppVMs but from the VPN VM itself. 
> Meaning processes other than the VPN process are able to send traffic out 
> eth0, for example.

It is best to not run any process that may send sensitive information in
the VPN VM itself.  The VPN must always be able to send information out
eth* interfaces, but qubes behind it do not.  The latter can be
expressed via very simple rules, such as:

    iifgroup 1 drop
    oifgroup 1 drop

in a forward rule.

Instead of requiring users to write custom scripts, it would be much
better to allow users to configure a qube as a VPN qube in the GUI, and
for Qubes OS to set up these rules automatically.
- -- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEopQtqVJW1aeuo9/sszaHOrMp8lMFAmfkuJsACgkQszaHOrMp
8lP+rg/+N4utvKz2kKFZ2XjvJuLsZE2LoCIcpvkgg6voq12fzPqNJuzVe/RRJ+7E
omMkVrrfYHSVJ065Sz3VYKhG2PkOFrwSMJ+gENFg/tPT4B/YVgLN9Oqkelec4sq/
e4mwbpIeMRMfQhpRFCPGykQ9zQY3Q5stu5OBrExG5JKhf94faRJyTWIDDT/Pf/e4
CcuiBtAQb60qu5g+MscXMmrfcIZpJiY2E99+Q/wIt31teGbgZ2Ug3x9rC8WE1HTs
atBNn3UksWD0kvBxp1zfKSJiC5lOUsHfvvCDPbuhmE+5BU6/i4JTnuLwC0j3dRO1
b5qc/vgZ9Bo52zcKlWuvurYha3u6LLrJW20vcbT5HfN+y+5maU+kW7NePHnX+ofO
itEbCW2yFwiqIK74JY7/ytfiLqUsye6+TWK1SS5BfRI9t+iULW7gmGy3jVVzWzLN
VqbVwBENGaFyngGS9OhPqqc8DIKShWht05Qr0SbINp0gsFrScjYxCNVoPJP4naCp
TdDTKs2qm65Hcj1NCQ9/L/McG8MAJGsB3p6u2kd4AWfSZg9fJ+/nMoPacOJwcwX8
tgTquRK7tAHUqOnTSj907I69JljmdNBEV2ZH4tHTGixnxQqaPzEYGfvLSqVwHow7
0hmCKLYfFVN2Fz+zPklpWIsHSwZDVGAX5+RWyVijwMROgUZosD0=
=4gWv
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/qubes-devel/Z-S4nc9rHKidTHFc%40itl-email.