On 09/20/2016 01:16 PM, mittend...@digitrace.de wrote:
Firewall rules are set for a specific VM/Qube. From common
understanding people would probably think that those rules are active
no matter what happens outside of that very VM/Qube, but in fact it
seems like those rules are active if and only if there is an ProxyVM
connected to that VM/Qube.
1) I can configure firewall rules for a ProxyVM, but they are not
actived, if that ProxyVM is connected to a NetVM (if I connect another
ProxyVM in between, this might probably work?!)
2) I can configure firewall rules for a AppVM, which will not be
active if that VM is connected
And: What happens if a ProxyVM does not implement the firewall
service, or if the firewall service crashes in the ProxyVM ?
I cannot find more information about the firewall mechanism than
"centrally managed in Dom0 and exposed to each Proxy VM through Xen
a) A warning if an AppVM is (about to be) connected to a NetVM
(instead of a ProxyVM).
b) Do not allow "firewall rules" being set for ProxyVMs (I think
Proxy-Chains are rather unlikely being used?!)
c) A warning about DNS-Names in firewall rules
[c) A warning if a connected ProxyVM does not activate the firewall
This is a good candidate for filing an issue, but mainly for this
situation -- "A warning if an upstream VM does not implement the
firewall rules", which should include connecting to netvms.
IIRC, Qubes Manager used to grey-out the firewall tab for any vm that
was connected to a netvm. That doesn't appear to be the case now in R3.2.
As for idea 'b', I'd disagree with that. Chained proxyvms are probably
more common than you think.
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to email@example.com.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.