On 09/21/2016 06:24 AM, Robert Mittendorf wrote:
Am 09/20/2016 um 10:29 PM schrieb Chris Laprise:
This is a good candidate for filing an issue, but mainly for this
situation -- "A warning if an upstream VM does not implement the
firewall rules", which should include connecting to netvms.
IIRC, Qubes Manager used to grey-out the firewall tab for any vm that
was connected to a netvm. That doesn't appear to be the case now in
R3.2.
As for idea 'b', I'd disagree with that. Chained proxyvms are
probably more common than you think.
Chris
Hey Chris,
sorry for my first answer directly to you - I expected a mailing list
to set/replace the "answer to" field
I still use 3.1! firewall rules are disabled for NetVMs, but not
dynamically for VMs that are not connected to a proxy VM.
I'm curious - do you have an example for a usefull local proxy(VM) chain?
Yes. For example you can connect a Whonix Tor gateway to a VPN tunnel
(or vice-versa). Some people will even add a dedicated firewall to that
chain.
Also, if you want to apply some firewall rules easily to many vms which
are using your regular firewall vm, you can put another proxy vm
upstream from the firewall then add the rules to the firewall.
Am 09/21/2016 um 12:07 PM schrieb Andrew David Wong
Normally, it wouldn't make sense to try to enforce
firewall rules for a FirewallVM. That's why the default
sys-firewall and sys-net work the way they do. However,
if you have a need for this, you're free to create your own
FirewallVMs and chain them together.
I agree - that is why my idea was to disable firewall rules for proxy
VMs.
2) I can configure firewall rules for a AppVM, which will not be active if that
VM is connected
Assuming you meant "unconnected," that's right.
Actually I meant connected to a NetVM and thereby the internet. Sorry.
And: What happens if a ProxyVM does not implement the firewall service, or if
the firewall service crashes in the ProxyVM ?
I cannot find more information about the firewall mechanism than "centrally managed
in Dom0 and exposed to each Proxy VM through Xen store"
fromhttp://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html
Take a look at these pages:
https://www.qubes-os.org/doc/qubes-firewall/
https://www.qubes-os.org/doc/networking/
I looked at the firewall page. The networking pages seems to miss
exactly the information I'm looking for in the "Firewall and Proxy
VMs" section - like how the information from xen store is loaded
within the proxyVM and what happens, if something failes (e.g. Is
there a risk that proxying works, but firewall rules are ignored ?)
There's no reliable & safe way to verify the internal proxyvm state like
this. Usually, proxyvms are assigned roles of trust, and trust pertains
not only to it being free of malware... but also its ability to function
correctly in general. Also, proxyvms such as sys-firewall are relatively
simple so there is little that can break.
Chris
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/9c0ee243-8701-3a54-8930-27e52f389e98%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
