Another hack to avoid having to manually type in the addresses is done
with the attached script. Its like Mareks solution, but does the parsing
on the dom0 side and the syntax is a little easier. It does the remote
tcpdump command in the vm and the results are returned through the
pass-io mechanism. With the -A option the script then generates the
qvm-firewall add commands to its stdout.
Then, if you want to add that address to the firewall you simply copy
and paste the lines you want from that dom0 command terminal window into
another dom0 command window, and the address is added to the firewall
without any manual typing. If you want, you can add a netmask (e.g.
address/24) to an IP in the target window before pressing enter.
[user@dom0 ~]$ qvm-fwdenied -A <MyVmName>
qvm-firewall <MyVmName> -add
ec2-54-200-125-198.us-west-2.compute.amazonaws.com any
qvm-firewall <MyVmName> -add 104.244.43.140 any
qvm-firewall <MyVmName> -add 104.244.43.44 any
qvm-firewall <MyVmName> -add
ec2-54-148-80-75.us-west-2.compute.amazonaws.com any
qvm-firewall <MyVmName> -add
ec2-52-88-118-150.us-west-2.compute.amazonaws.com any
qvm-firewall <MyVmName> -add
ec2-52-25-189-162.us-west-2.compute.amazonaws.com any
...
Note that these appear in batches on the console because tcpdump is in a
mode where it exits after some number of captured packets have been
filtered, with the default set to 200 packets. By default it will
repeatedly restart tcpdump for another batch. The -C ### option allows
that default number of packets to be changed.
It would be far better if the script was made to be multi-threaded so
the output of tcpdump could be read while another thread outputs the
commands and asks the user if each entry should be added or not. I just
have not had time to look into that yet. its obviously a work in progress.
Also it logs everything to /var/tmp/qvm-fwdenied.log if you need to look
at what happened in your last session.
On 07/25/2016 02:14 PM, Franz wrote:
On Mon, Jul 25, 2016 at 2:51 PM, Marek Marczykowski-Górecki
<[email protected]
<mailto:[email protected]>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, Jul 25, 2016 at 02:46:55PM -0300, Franz wrote:
> On Mon, Jul 25, 2016 at 1:24 PM, Marek Marczykowski-Górecki <
> [email protected]
<mailto:[email protected]>> wrote:
> > On Mon, Jul 25, 2016 at 12:06:54PM -0300, Franz wrote:
> > > On Mon, Jul 25, 2016 at 11:11 AM, Marek Marczykowski-Górecki <
> > > [email protected]
<mailto:[email protected]>> wrote:
> > > > On Mon, Jul 25, 2016 at 09:37:10AM -0400, Steve Coleman wrote:
> > > Anyway regarding Marek script I tried it in a dispVM, it writes:
> > > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
> > > 262144 bytes
> > >
> > > but then if on the same dispVM I use firefox to go to a gmail account
or
> > > another account, nothing appears on the terminal.
> > >
> > > I even looked if anything changed on dispVM firewall rules, but found
> > > nothing different.
> > >
> > > So how is this script working?
> >
> > I've just tried and it is still working. It should output list of
> > blocked destinations in format of qvm-firewall commands ready to load
> > into Qubes firewall.
> >
> ,
> "blocked destinations"? This makes me think that I should block
> destinations somehow before running the script. Is that so?
Yes, change VM firewall to deny by default.
ok now it works, it outputted a list of addresses. But I have to paste
this list on firewall rules of that VM and this is on Qubes Manager that
is on Dom0, so normal copy paste between VMs does not work.
I can only imagine of writing the addresses on a text file, then copying
the file to Dom0, using
|qvm-run --pass-io <src-vm> 'cat /path/to/file_in_src_domain' >
/path/to/file_name_in_dom0|
opening the file in Dom0 (which seems half prohibited) and finally
copying the adresses to Qubes Manager.
Otherwise I'll have to digit manually the addresses to Qubes Manager.
Which is the suggested way to do that?
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXllGTAAoJENuP0xzK19cswBgH/A0OxAIaR7hzEfET8uAcNeiC
IjTNevVwL/z1ymB4HLwdQmOi3AQ5q8db/AoMd37AC06yzxEJkEQzt5HsMbnEK4UI
SFlKbKr5t7/eyK9R7B6dQH2dBL69ODZf8wQWl5T3oEJj3cZOCLOkAQZcjNHgPefU
AX2cKoi3q7TLxy810f08o+KicA2VclBA5Q66tf6GSoFG44VWfBtxZgkHTZ/s9aWW
cUvNfHIZtSZNiIOEJKLHP3y7tLAFZXOvdtIqIo2/jxWIJSc+47ypPxpOSiAdiA79
erUry7spy9ta5GNlblBf5fSGaQaYRBeEGl91+b++pX/zTg1/sMbv3hoCFpVHYnI=
=XmDi
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/d154763d-ce5f-e02c-dee6-481ec0d4b02c%40jhuapl.edu.
For more options, visit https://groups.google.com/d/optout.
#!/usr/bin/python2
# -*- encoding: utf8 -*-
from qubes.qubes import QubesVmCollection
from qubes.qubes import QubesHost
from qubes.qubes import QubesException
from optparse import OptionParser
import subprocess
import sys
import os
import re
import glob
import logging
import logging.handlers
from datetime import datetime
import time
import traceback
LOG_FILENAME = '/var/tmp/qvm-fwdenied.log'
def main():
usage = "usage: %prog [-A] [-C n] <vm-name>"
parser = OptionParser (usage)
parser.add_option ("-A", "--allowlist",
action="store_true",
dest="generate_allow_list",
default=[False],
help="generage allow list for firewall")
parser.add_option ("-R", "--repeat",
action="store_true",
dest="repeat_mode",
default=[False],
help="repeat continuously until ^C")
parser.add_option ("-C", "--count",
type="int",
dest="packet_count",
default=200,
help="return after N packets received")
(options, args) = parser.parse_args ()
#print args
if len(args) != 1 :
print 'vm name not provided'
sys.exit(0)
#print args
vm = args[0]
my_logger = logging.getLogger('MyLogger')
my_logger.setLevel(logging.INFO)
handler =
logging.handlers.RotatingFileHandler(LOG_FILENAME,maxBytes=200000,backupCount=5)
my_logger.addHandler(handler)
my_logger.info('')
nowstring = str(datetime.now())
my_logger.info('qvm-fwdenied started:' + nowstring)
packets = options.packet_count
cmd = 'qvm-run -a --pass-io -u root ' + vm + ' "tcpdump -c ' + str(packets)
+ '"'
my_logger.info(cmd)
if options.repeat_mode :
my_logger.info('repeat mode on')
#print 'repeat mode enabled'
looping = True
try:
while looping:
process =
subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE)
out, err = process.communicate()
errcode = process.returncode
hosts = set()
dom0_updated = False
needs_restart = False
for line in out.split('\n'):
my_logger.info(line)
if re.search('^$',line):
continue
if re.search('admin prohibited',line):
tokens = line.rsplit(' ')
host = tokens[7]
hosts.add(host)
if options.generate_allow_list == True:
for host in hosts:
addCmd = 'qvm-firewall ' + vm + ' -add ' + host + ' any'
print addCmd
my_logger.info(addCmd)
else:
for host in hosts:
print host
if errcode != 0:
print "Error:" + str(errcode)
print err
my_logger.info(['Error:' + str(errcode)])
my_logger.info(err)
sys.exit(1)
if not options.repeat_mode :
looping = False
#else:
# print str(datetime.now())
except KeyboardInterrupt:
print ""
print "Shutdown requested"
cmd = 'qvm-run -a --pass-io -u root ' + vm + ' "killall tcpdump"'
process =
subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE)
out, err = process.communicate()
errcode = process.returncode
print out + ' ' + err
except Exception:
traceback.print_exec(file=sys.stdout)
sys.exit(1)
print ''
my_logger.info('done logging')
sys.exit(0)
main()