Another hack to avoid having to manually type in the addresses is done with the attached script. Its like Mareks solution, but does the parsing on the dom0 side and the syntax is a little easier. It does the remote tcpdump command in the vm and the results are returned through the pass-io mechanism. With the -A option the script then generates the qvm-firewall add commands to its stdout.

Then, if you want to add that address to the firewall you simply copy and paste the lines you want from that dom0 command terminal window into another dom0 command window, and the address is added to the firewall without any manual typing. If you want, you can add a netmask (e.g. address/24) to an IP in the target window before pressing enter.

[user@dom0 ~]$ qvm-fwdenied -A <MyVmName>
qvm-firewall <MyVmName> -add ec2-54-200-125-198.us-west-2.compute.amazonaws.com any
qvm-firewall <MyVmName> -add 104.244.43.140 any
qvm-firewall <MyVmName> -add 104.244.43.44 any
qvm-firewall <MyVmName> -add ec2-54-148-80-75.us-west-2.compute.amazonaws.com any qvm-firewall <MyVmName> -add ec2-52-88-118-150.us-west-2.compute.amazonaws.com any qvm-firewall <MyVmName> -add ec2-52-25-189-162.us-west-2.compute.amazonaws.com any
...

Note that these appear in batches on the console because tcpdump is in a mode where it exits after some number of captured packets have been filtered, with the default set to 200 packets. By default it will repeatedly restart tcpdump for another batch. The -C ### option allows that default number of packets to be changed.

It would be far better if the script was made to be multi-threaded so the output of tcpdump could be read while another thread outputs the commands and asks the user if each entry should be added or not. I just have not had time to look into that yet. its obviously a work in progress.

Also it logs everything to /var/tmp/qvm-fwdenied.log if you need to look at what happened in your last session.


On 07/25/2016 02:14 PM, Franz wrote:


On Mon, Jul 25, 2016 at 2:51 PM, Marek Marczykowski-Górecki
<[email protected]
<mailto:[email protected]>> wrote:

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    On Mon, Jul 25, 2016 at 02:46:55PM -0300, Franz wrote:
    > On Mon, Jul 25, 2016 at 1:24 PM, Marek Marczykowski-Górecki <
    > [email protected]
    <mailto:[email protected]>> wrote:
    > > On Mon, Jul 25, 2016 at 12:06:54PM -0300, Franz wrote:
    > > > On Mon, Jul 25, 2016 at 11:11 AM, Marek Marczykowski-Górecki <
    > > > [email protected]
    <mailto:[email protected]>> wrote:
    > > > > On Mon, Jul 25, 2016 at 09:37:10AM -0400, Steve Coleman wrote:
    > > > Anyway regarding Marek script I tried it in a dispVM, it writes:
    > > > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
    > > > 262144 bytes
    > > >
    > > > but then if on the same dispVM I use firefox to go to a gmail account 
or
    > > > another account, nothing appears on the terminal.
    > > >
    > > > I even looked if anything changed on dispVM firewall rules, but found
    > > > nothing different.
    > > >
    > > > So how is this script working?
    > >
    > > I've just tried and it is still working. It should output list of
    > > blocked destinations in format of qvm-firewall commands ready to load
    > > into Qubes firewall.
    > >
    > ,
    > "blocked destinations"?  This makes me think that I should block
    > destinations somehow before running the script. Is that so?

    Yes, change VM firewall to deny by default.


ok now it works, it outputted a list of addresses. But I have to paste
this list on firewall rules of that VM and this is on Qubes Manager that
is on Dom0, so normal copy paste between VMs does not work.

I can only imagine of writing the addresses on a text file, then copying
the file to Dom0, using

|qvm-run --pass-io <src-vm> 'cat /path/to/file_in_src_domain' >
/path/to/file_name_in_dom0|

opening the file in Dom0 (which seems half prohibited) and finally
copying the adresses to Qubes Manager.

Otherwise I'll have to digit manually the addresses to Qubes Manager.

Which is the suggested way to do that?


    - --
    Best Regards,
    Marek Marczykowski-Górecki
    Invisible Things Lab
    A: Because it messes up the order in which people normally read text.
    Q: Why is top-posting such a bad thing?
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2

    iQEcBAEBCAAGBQJXllGTAAoJENuP0xzK19cswBgH/A0OxAIaR7hzEfET8uAcNeiC
    IjTNevVwL/z1ymB4HLwdQmOi3AQ5q8db/AoMd37AC06yzxEJkEQzt5HsMbnEK4UI
    SFlKbKr5t7/eyK9R7B6dQH2dBL69ODZf8wQWl5T3oEJj3cZOCLOkAQZcjNHgPefU
    AX2cKoi3q7TLxy810f08o+KicA2VclBA5Q66tf6GSoFG44VWfBtxZgkHTZ/s9aWW
    cUvNfHIZtSZNiIOEJKLHP3y7tLAFZXOvdtIqIo2/jxWIJSc+47ypPxpOSiAdiA79
    erUry7spy9ta5GNlblBf5fSGaQaYRBeEGl91+b++pX/zTg1/sMbv3hoCFpVHYnI=
    =XmDi
    -----END PGP SIGNATURE-----



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d154763d-ce5f-e02c-dee6-481ec0d4b02c%40jhuapl.edu.
For more options, visit https://groups.google.com/d/optout.
#!/usr/bin/python2
# -*- encoding: utf8 -*-

from qubes.qubes import QubesVmCollection
from qubes.qubes import QubesHost
from qubes.qubes import QubesException
from optparse import OptionParser
import subprocess 
import sys
import os
import re
import glob
import logging
import logging.handlers
from datetime import datetime
import time
import traceback

LOG_FILENAME = '/var/tmp/qvm-fwdenied.log' 

def main():

    usage = "usage: %prog [-A] [-C n] <vm-name>"
    parser = OptionParser (usage)

    parser.add_option ("-A", "--allowlist", 
                       action="store_true",
                       dest="generate_allow_list", 
                       default=[False],
                       help="generage allow list for firewall")

    parser.add_option ("-R", "--repeat", 
                       action="store_true",
                       dest="repeat_mode", 
                       default=[False],
                       help="repeat continuously until ^C")

    parser.add_option ("-C", "--count", 
                       type="int",
                       dest="packet_count", 
                       default=200,
                       help="return after N packets received")

    (options, args) = parser.parse_args ()

    #print args 
    if len(args) != 1 :
        print 'vm name not provided'
        sys.exit(0)

    #print args
    vm = args[0]

    my_logger = logging.getLogger('MyLogger')
    my_logger.setLevel(logging.INFO)
    handler = 
logging.handlers.RotatingFileHandler(LOG_FILENAME,maxBytes=200000,backupCount=5)
    my_logger.addHandler(handler)

    my_logger.info('')
    nowstring = str(datetime.now()) 
    my_logger.info('qvm-fwdenied started:' + nowstring)

    packets = options.packet_count
    cmd = 'qvm-run -a --pass-io -u root ' + vm + ' "tcpdump -c ' + str(packets) 
+ '"'
    my_logger.info(cmd)

    if options.repeat_mode :
        my_logger.info('repeat mode on')
        #print 'repeat mode enabled'

    looping = True

    try:

        while looping:

            process = 
subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE)
            out, err = process.communicate()
            errcode = process.returncode

            hosts = set()
            dom0_updated = False 
            needs_restart = False 
            for line in out.split('\n'):
                my_logger.info(line)
                if re.search('^$',line): 
                      continue
                if re.search('admin prohibited',line): 
                    tokens = line.rsplit(' ')
                    host = tokens[7]
                    hosts.add(host)

            if options.generate_allow_list == True:
               for host in hosts:
                   addCmd = 'qvm-firewall '  + vm + ' -add ' + host + ' any'
                   print addCmd 
                   my_logger.info(addCmd)
            else:
                for host in hosts:
                    print host

            if errcode != 0:
                print "Error:" + str(errcode)
                print err
                my_logger.info(['Error:' + str(errcode)])
                my_logger.info(err)
                sys.exit(1)

            if not options.repeat_mode :
                looping = False
            #else:
            #    print str(datetime.now()) 

    except KeyboardInterrupt:
        print ""
        print "Shutdown requested"
        cmd = 'qvm-run -a --pass-io -u root ' + vm + ' "killall tcpdump"' 
        process = 
subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE)
        out, err = process.communicate()
        errcode = process.returncode
        print out + '  ' + err 
    except Exception:
        traceback.print_exec(file=sys.stdout)
        sys.exit(1)

    print '' 
    my_logger.info('done logging')
    sys.exit(0)


main()

Reply via email to