-----BEGIN PGP SIGNED MESSAGE-----
On Thu, Oct 13, 2016 at 11:22:08PM -0400, Chris Laprise wrote:
> On 10/13/2016 09:31 PM, Manuel Amador (Rudd-O) wrote:
> > Oops about what? Unlike the official Qubes VPN documentation, which
> > counsels people to write scripts that make non-atomic modifications to
> > their firewall, which actually and demonstrably have a leak between
> > Qubes firewall updates and VPN rules setup, my work doesn't leak traffic
> > in-between the addition of iptables rules.
> The qubes-firewall-user-script is a feature of Qubes firewall. And its one
> of the original Qubes docs that encourage people to use it. So, yes, there
> is a vulnerability in Qubes firewall, and it should be noted foremost in the
> Known Issues for the project.
ip_forwarding is disabled for the time of reloading rules.
Anyway, guys, please. Both solutions are fine.
One is easier to understand, convert to other VPN software and apply to
ProxyVM without modifying any template. The other one is OpenVPN
specific (at least currently) and easier to package (so do not require
copying any script by the user manually). Technical details here (more
iptables modifications vs separate route table) are just technical
details. Both approaches should work.
The nice thing of manual one (in current shape) is also blocking traffic
going from ProxyVM itself (and not originated by VPN software). But it
should be trivial to add the same to the other one. This should not
affect AppVMs behind such ProxyVM in anyway.
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to firstname.lastname@example.org.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.