On Tue, Feb 7, 2017 at 11:57 AM, '0xDEADBEEF00' via qubes-users <[email protected]> wrote: >> I have a bank vm, how do you restrict the browser from being able to go else >> where? Do you add the iprules in the vm or do you create a proxyvm and add >> the iprules there? >> >> I've tried both, and created an email vm with iprules "deny everything >> except" >> >> But then neither vm(s) will connect. >> >> Is there a proper way to do this? >> >> Or will I have to do the tinyproxy thing I've read elsewhere ? > I've tried both solution some time ago and definitly the tinyproxy solution > works much better and can handle nicely dns round robin or servers behind > load balancers. By the way this solution offer an other nice possibility, > you can use regular expressions and for example allow .*\.mycompany\.com$ on > the conter-part, you will have to trust the dns resolution. Look also for modules like 'request policy' and 'no script' or 'policeman' that implements nice GUI allowing both types in a single place.
Request policy + 'ask for reload permission' should be enough to control in a single VM for a few banks in single place. Not that secure as proxying and denying in some other VM, but easy + GUI controls + require some configuration work at start. -- Bye.Olli. gpg --search-keys grey_olli , use key w/ fingerprint below: Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABunX6MEURHmQ38Nc6rY4XpuNEWSknSUdJOCoVUCRV9sQ%2Bq4Tg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
