Hash: SHA256

On Thu, Oct 13, 2016 at 11:22:08PM -0400, Chris Laprise wrote:
> On 10/13/2016 09:31 PM, Manuel Amador (Rudd-O) wrote:
> > 
> > Oops about what?  Unlike the official Qubes VPN documentation, which
> > counsels people to write scripts that make non-atomic modifications to
> > their firewall, which actually and demonstrably have a leak between
> > Qubes firewall updates and VPN rules setup, my work doesn't leak traffic
> > in-between the addition of iptables rules.
> The qubes-firewall-user-script is a feature of Qubes firewall. And its one
> of the original Qubes docs that encourage people to use it. So, yes, there
> is a vulnerability in Qubes firewall, and it should be noted foremost in the
> Known Issues for the project.

ip_forwarding is disabled for the time of reloading rules.

Anyway, guys, please. Both solutions are fine. 
One is easier to understand, convert to other VPN software and apply to
ProxyVM without modifying any template. The other one is OpenVPN
specific (at least currently) and easier to package (so do not require
copying any script by the user manually). Technical details here (more
iptables modifications vs separate route table) are just technical
details. Both approaches should work.

The nice thing of manual one (in current shape) is also blocking traffic
going from ProxyVM itself (and not originated by VPN software). But it
should be trivial to add the same to the other one. This should not
affect AppVMs behind such ProxyVM in anyway.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Version: GnuPG v2


You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to