-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, Oct 13, 2016 at 11:22:08PM -0400, Chris Laprise wrote: > On 10/13/2016 09:31 PM, Manuel Amador (Rudd-O) wrote: > > > > Oops about what? Unlike the official Qubes VPN documentation, which > > counsels people to write scripts that make non-atomic modifications to > > their firewall, which actually and demonstrably have a leak between > > Qubes firewall updates and VPN rules setup, my work doesn't leak traffic > > in-between the addition of iptables rules. > > The qubes-firewall-user-script is a feature of Qubes firewall. And its one > of the original Qubes docs that encourage people to use it. So, yes, there > is a vulnerability in Qubes firewall, and it should be noted foremost in the > Known Issues for the project.
ip_forwarding is disabled for the time of reloading rules. Anyway, guys, please. Both solutions are fine. One is easier to understand, convert to other VPN software and apply to ProxyVM without modifying any template. The other one is OpenVPN specific (at least currently) and easier to package (so do not require copying any script by the user manually). Technical details here (more iptables modifications vs separate route table) are just technical details. Both approaches should work. The nice thing of manual one (in current shape) is also blocking traffic going from ProxyVM itself (and not originated by VPN software). But it should be trivial to add the same to the other one. This should not affect AppVMs behind such ProxyVM in anyway. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJYAMmSAAoJENuP0xzK19csNroIAJpPS2jnDHdUBMKImgEMTzJZ AWtgDbMpUpYDT7aX+LC8W84DrNHciDfbOhbNaVwxOgLX2iSd5iafv62M73D3oSsr 2+nO5isSnpY72CnJZgxPiS5jZ0R6WoF5zQcuDx3PREgU4Nr0hKCUQbITAMRhW6I+ XF3lemLX9InUzowYFgLFxc+8x1N0FSBToFor73W1tBFZI5SuS0mYoTCLsncFTBDC QGOGd74V24aoQv3y++gD/wwaME8+oRLv5wqun75DuKx+hcSXUJEfwouemfKsyEva 8R42R1ZaF671jL+POORZPKL+AnLvrxwFC+FnArOQtt2STL5lrIcKW64PR5Iju8k= =CCiA -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20161014120331.GW15776%40mail-itl. For more options, visit https://groups.google.com/d/optout.