On 09/21/2016 06:24 AM, Robert Mittendorf wrote:
Am 09/20/2016 um 10:29 PM schrieb Chris Laprise:


This is a good candidate for filing an issue, but mainly for this situation -- "A warning if an upstream VM does not implement the firewall rules", which should include connecting to netvms.

IIRC, Qubes Manager used to grey-out the firewall tab for any vm that was connected to a netvm. That doesn't appear to be the case now in R3.2.

As for idea 'b', I'd disagree with that. Chained proxyvms are probably more common than you think.

Chris

Hey Chris,

sorry for my first answer directly to you - I expected a mailing list to set/replace the "answer to" field

I still use 3.1! firewall rules are disabled for NetVMs, but not dynamically for VMs that are not connected to a proxy VM.

I'm curious - do you have an example for a usefull local proxy(VM) chain?

Yes. For example you can connect a Whonix Tor gateway to a VPN tunnel (or vice-versa). Some people will even add a dedicated firewall to that chain.

Also, if you want to apply some firewall rules easily to many vms which are using your regular firewall vm, you can put another proxy vm upstream from the firewall then add the rules to the firewall.




Am 09/21/2016 um 12:07 PM schrieb Andrew David Wong
Normally, it wouldn't make sense to try to enforce
firewall rules for a FirewallVM. That's why the default
sys-firewall and sys-net work the way they do. However,
if you have a need for this, you're free to create your own
FirewallVMs and chain them together.
I agree - that is why my idea was to disable firewall rules for proxy VMs.
2) I can configure firewall rules for a AppVM, which will not be active if that 
VM is connected
Assuming you meant "unconnected," that's right.
Actually I meant connected to a NetVM and thereby the internet. Sorry.
And: What happens if a ProxyVM does not implement the firewall service, or if 
the firewall service crashes in the ProxyVM ?
I cannot find more information about the firewall mechanism than "centrally managed 
in Dom0 and exposed to each Proxy VM through Xen store" 
fromhttp://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html
Take a look at these pages:

https://www.qubes-os.org/doc/qubes-firewall/

https://www.qubes-os.org/doc/networking/
I looked at the firewall page. The networking pages seems to miss exactly the information I'm looking for in the "Firewall and Proxy VMs" section - like how the information from xen store is loaded within the proxyVM and what happens, if something failes (e.g. Is there a risk that proxying works, but firewall rules are ignored ?)

There's no reliable & safe way to verify the internal proxyvm state like this. Usually, proxyvms are assigned roles of trust, and trust pertains not only to it being free of malware... but also its ability to function correctly in general. Also, proxyvms such as sys-firewall are relatively simple so there is little that can break.

Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9c0ee243-8701-3a54-8930-27e52f389e98%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to