Hi, Strangely appvms that are marked and not "Allow connections to updates proxy" are still able to reach the tinyproxy, despite the iptables rules:
[root@sys-fw ~]# iptables -nvL Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 5 217 ACCEPT tcp -- vif+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8082 0 0 DROP udp -- vif+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 129 25433 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 264 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 208 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 172.16.0.0/16 0 0 ACCEPT all -- * * 172.16.0.0/16 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.0.0/16 0 0 ACCEPT all -- * * 192.168.0.0/16 0.0.0.0/0 0 0 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0 16 1136 DROP all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- vif0.0 * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- vif+ vif+ 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 10.137.2.9 10.137.1.1 udp dpt:53 0 0 ACCEPT udp -- * * 10.137.2.9 10.137.1.254 udp dpt:53 0 0 ACCEPT tcp -- * * 10.137.2.9 10.137.1.1 tcp dpt:53 0 0 ACCEPT tcp -- * * 10.137.2.9 10.137.1.254 tcp dpt:53 0 0 ACCEPT icmp -- * * 10.137.2.9 0.0.0.0/0 0 0 DROP tcp -- * * 10.137.2.9 10.137.255.254 tcp dpt:8082 0 0 ACCEPT all -- * * 10.137.2.9 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 111 13152 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 3 264 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 25 1493 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0 1 42 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:1197 26 1646 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "iptables_OUTPUT_denied: " [user@untrusted ~]$ ip a s 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:16:3e:5e:6c:07 brd ff:ff:ff:ff:ff:ff inet 10.137.2.9/32 brd 10.255.255.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::216:3eff:fe5e:6c07/64 scope link valid_lft forever preferred_lft forever So the untrusted appvm (10.137.2.9) is able to reach the tiny proxy (10.137.255.254) on port 8082, despite the drop rule on the FORWARD chain on the sys-fw : " 0 0 DROP tcp -- * * 10.137.2.9 10.137.255.254 tcp dpt:8082" [user@untrusted ~]$ telnet 10.137.255.254 8082 Trying 10.137.255.254... Connected to 10.137.255.254. Escape character is '^]'. I confess I'm a bit baffle by this, the only thing I'm using on the sys-fw but that doesn't explain why the iptables rule is being ignored. Does anyone knows why is this happening? Thank you ---- Sent using Guerrillamail.com Block or report abuse: https://www.guerrillamail.com//abuse/?a=UFR2AB5NVqcQmh2U93EQdRjCStifx8dDiadNcQ%3D%3D -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/23b15c2e7e35e8075af3226b4e0fdafe7a43%40guerrillamail.com. For more options, visit https://groups.google.com/d/optout.