On Wed, Jul 05, 2017 at 08:08:02PM -0400, 'Essax' via qubes-users wrote: > I have laptop with a 2 port NIC. I would like to have 1 subset of appVMs that > are connected to sys-net to use the eth0 interface and the other subset to > use the eth1 interface. It is not possible to assign 1 port into seperate > sys-nets. I have tried that and only eth0 will function. Its also my > understanding that eth0 is the interface used between qubes. ( is this wrong? > ) If so would this prevent me from using iptables in firewall-vm1 to block > traffic to the eth0 interface. That would block traffic to sys-net as well (I > think). The only solution I have come up with would be to go to dom0 GUI --> > appvm1---> edit VM firewall rules ---> allow networks except 172.16.1.1/24 . > This would not block traffic to the eth0 interface but it would prevent if > from going any further than the 172.16.1.1 pfsense interface. Then I could do > the same for firewall-vm0 and block it from the 192.168.1.1 pfsense > interface. Is there a better way to do this with iptables. > pfsense-----192.168.1.1/24------------eth1--------firewall-vm1--------appvm1 > sys-net > pfsense-----172.16.1.1/24--------------eth0--------firewall-vm0--------VPN/proxyvm--------appvm0 > > Thanks in advance > Essax
I'm not sure what you mean by "eth0 is the interface used between qubes". Each qube is attached to its upstream proxy, its eth0 connecting to a vifX interface on the proxy. You can examine the IP addresses allocated to the qubes using 'qvm-ls -n'. On your proposal the downstream qubes would only be able to connect to the networks attached to eth0 and eth1. This may be what you want. If you want to connect to the net (or another network) via those connected networks, there is an alternative. Each firewall provides masquerade NAT to downstream qubes. This means that you can simply do the following: firewall-vm0 : eth0 - 10.137.10.10 firewall-vm1 : eth0 - 10.137.10.100 On sys-net- iptables -I FORWARD -o eth0 -j DROP iptables -I FORWARD -o eth1 -j DROP iptables -I FORWARD -s 10.137.10.100 -o eth1 -j ACCEPT iptables -I FORWARD -s 10.137.10.10 -o eth0 -j ACCEPT Those rules explicitly block and allow traffic. You could combine into one rule but this makes it clearer what is happening and will allow you to track counters as traffic flows. I think it's neater than your proposal. You'll also want to keep the rules allowing established traffic back though sys-net. You can put these rules in to rc.local, and qubes-firewall-user-script, as set out here: www.qubes-os.org/doc/firewall unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170706012459.nixgcf6n3mwqwobt%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
