On 09/20/2016 01:16 PM, mittend...@digitrace.de wrote:
Hey,
Firewall rules are set for a specific VM/Qube. From common
understanding people would probably think that those rules are active
no matter what happens outside of that very VM/Qube, but in fact it
seems like those rules are active if and only if there is an ProxyVM
connected to that VM/Qube.
Examples:
1) I can configure firewall rules for a ProxyVM, but they are not
actived, if that ProxyVM is connected to a NetVM (if I connect another
ProxyVM in between, this might probably work?!)
2) I can configure firewall rules for a AppVM, which will not be
active if that VM is connected
And: What happens if a ProxyVM does not implement the firewall
service, or if the firewall service crashes in the ProxyVM ?
I cannot find more information about the firewall mechanism than
"centrally managed in Dom0 and exposed to each Proxy VM through Xen
store" from
http://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html
Ideas:
a) A warning if an AppVM is (about to be) connected to a NetVM
(instead of a ProxyVM).
b) Do not allow "firewall rules" being set for ProxyVMs (I think
Proxy-Chains are rather unlikely being used?!)
c) A warning about DNS-Names in firewall rules
[c) A warning if a connected ProxyVM does not activate the firewall
rules]
thank you,
Robert Mittendorf
This is a good candidate for filing an issue, but mainly for this
situation -- "A warning if an upstream VM does not implement the
firewall rules", which should include connecting to netvms.
IIRC, Qubes Manager used to grey-out the firewall tab for any vm that
was connected to a netvm. That doesn't appear to be the case now in R3.2.
As for idea 'b', I'd disagree with that. Chained proxyvms are probably
more common than you think.
Chris
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/1a546e8f-5a84-ed27-17ab-2263e1e6972a%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.