On 09/20/2016 01:16 PM, mittend...@digitrace.de wrote:

Firewall rules are set for a specific VM/Qube. From common understanding people would probably think that those rules are active no matter what happens outside of that very VM/Qube, but in fact it seems like those rules are active if and only if there is an ProxyVM connected to that VM/Qube.


1) I can configure firewall rules for a ProxyVM, but they are not actived, if that ProxyVM is connected to a NetVM (if I connect another ProxyVM in between, this might probably work?!)

2) I can configure firewall rules for a AppVM, which will not be active if that VM is connected

And: What happens if a ProxyVM does not implement the firewall service, or if the firewall service crashes in the ProxyVM ? I cannot find more information about the firewall mechanism than "centrally managed in Dom0 and exposed to each Proxy VM through Xen store" from http://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html

a) A warning if an AppVM is (about to be) connected to a NetVM (instead of a ProxyVM).

b) Do not allow "firewall rules" being set for ProxyVMs (I think Proxy-Chains are rather unlikely being used?!)

c) A warning about DNS-Names in firewall rules

[c) A warning if a connected ProxyVM does not activate the firewall rules]

thank you,

Robert Mittendorf

This is a good candidate for filing an issue, but mainly for this situation -- "A warning if an upstream VM does not implement the firewall rules", which should include connecting to netvms.

IIRC, Qubes Manager used to grey-out the firewall tab for any vm that was connected to a netvm. That doesn't appear to be the case now in R3.2.

As for idea 'b', I'd disagree with that. Chained proxyvms are probably more common than you think.


You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to