On 11/10/2016 01:28 PM, David Hobach wrote:
I'd recommend to avoid any tools employing iptables which were not
written explicitly for Qubes as well.
This. Or at least don't use them without careful inspection.
Your firewall settings are constantly being reset and manipulated by
Qubes. Your custom changes will disappear, if you don't use the
Qubes-method of persisting them. However even then your custom changes
might not work well with the Qubes changes and you might run into
unexpected issues such as your downstream appVMs suddenly having
internet access even though you configured it differently in Qubes
(but your custom rules somehow allow it).
Moreover this behaviour might change with newer Qubes versions...
Maybe the iptables lines mentioned at
https://www.qubes-os.org/doc/vpn/ will continue to work in the future,
maybe they won't. Will you check that site every 3 months? Will you
hope that no one forgot to update it (is it currently up-to-date anyway)?
FYI, the VPN doc is up to date, and the way that Qubes firewall works
has not changed significantly in all the 3.x releases.
Note that qubes-firewall-user-script is designed to get the last say in
the iptables configuration process, and in this case place the two
anti-leak commands at the _start_ of the chain. This isn't going to just
stop working on its own, short of a Qubes bug that stops the script from
running.
Now that I see the airvpn client app changes iptables, I would say
/that/ is a cause for concern..... The user script might not have the
final say in the firewall configuration and we don't know what would
happen to the anti-leak commands then. But that's why clients such as
OpenVPN don't touch iptables in the first place-- leak prevention has to
happen outside the client.
So I think the takeaway here is that judicious use of
qubes-firewall-user-script is fine, but don't blindly use VPN clients
that try to alter iptables (or if you must, then at least turn all
firewall features off in the client). I would also advise users *not* to
rely on firewall settings in Qubes Manager/VM Settings as the options
are too limited to stop compromised VMs that are supposed to be confined
to the VPN tunnel from leaking data to clearnet (e.g. a hostile access
point or other upstream node) regardless of which address/port you specify.
If qubes-firewall-user-script goes away as a feature in Qubes 4.0, that
would certainly need to be addressed in the doc. But I'd expect all user
documentation to be reviewed for 4.0 in any case.
Chris
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/3175c66f-d7ac-cb8d-69a4-cebbb5082601%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
