On 10/13/2016 09:31 PM, Manuel Amador (Rudd-O) wrote:
Oops about what? Unlike the official Qubes VPN documentation, which
counsels people to write scripts that make non-atomic modifications to
their firewall, which actually and demonstrably have a leak between
Qubes firewall updates and VPN rules setup, my work doesn't leak traffic
in-between the addition of iptables rules.
The qubes-firewall-user-script is a feature of Qubes firewall. And its
one of the original Qubes docs that encourage people to use it. So, yes,
there is a vulnerability in Qubes firewall, and it should be noted
foremost in the Known Issues for the project.
The VPN use case is probably one of the least-vulnerable examples of
leakiness in Qubes firewall, because it requires multiple failures to
line up in a small window. That means non-VPN use cases are probably at
least as vulnerable. Its the underlying problem which is my overriding
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to firstname.lastname@example.org.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.