[qubes-users] Usability: "Firewall rules" setting will likely be missunderstood often

Tue, 20 Sep 2016 10:17:22 -0700 

Hey,
Firewall rules are set for a specific VM/Qube. From common understanding people would probably think that those rules are active no matter what happens outside of that very VM/Qube, but in fact it seems like those rules are active if and only if there is an ProxyVM connected to that VM/Qube. 

Examples:


1) I can configure firewall rules for a ProxyVM, but they are not 
actived, if that ProxyVM is connected to a NetVM (if I connect another 
ProxyVM in between, this might probably work?!)



2) I can configure firewall rules for a AppVM, which will not be active 
if that VM is connected



And: What happens if a ProxyVM does not implement the firewall service, 
or if the firewall service crashes in the ProxyVM ?
I cannot find more information about the firewall mechanism than 
"centrally managed in Dom0 and exposed to each Proxy VM through Xen 
store" from 
http://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html


Ideas:

a) A warning if an AppVM is (about to be) connected to a NetVM (instead 
of a ProxyVM).



b) Do not allow "firewall rules" being set for ProxyVMs (I think 
Proxy-Chains are rather unlikely being used?!)


c) A warning about DNS-Names in firewall rules

[c) A warning if a connected ProxyVM does not activate the firewall rules]

thank you,

Robert Mittendorf

--
M. Sc. Informatik Robert Mittendorf

DigiTrace GmbH - Kompetenz in IT-Forensik
Geschäftsführer: Alexander Sigel, Martin Wundram
Registergericht Köln, HR B 72919
USt-IdNr: DE278529699

Zollstockgürtel 59, 50969 Köln
Telefon: 0221-6 77 86 95-2
Website: www.DigiTrace.de
E-Mail: i...@digitrace.de

Haben Sie schon den DigiTrace-Newsletter abonniert?
http://www.digitrace.de/de/service/newsletter

DigiTrace ist Partner der Allianz für Cyber-Sicherheit
sowie Mitglied im nrw.units Netzwerk für IT-Sicherheit:
  https://www.allianz-fuer-cybersicherheit.de
  http://www.nrw-units.de/netzwerk/

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9e5aebdb-199d-b25c-daf7-d38dd5fdf2b0%40digitrace.de.
For more options, visit https://groups.google.com/d/optout.






















					Reply via email to