On Thu, Jul 06, 2017 at 07:22:51PM -0400, Essax wrote:
> Hi Unman
> Thanks ! Thats is exactly what I wanted to accomplish. Although I could use a 
> little clarification on a couple things.
> 
> > You can examine the IP addresses allocated to the qubes using
> > "qvm-ls -n".
> 
> I ran this command and there are three ip addresses listed for most of the 
> qubes. Going from left to right---> I know the first one is the qube ip 
> address. The second ip address is only given to proxy-vms (What is this ip 
> for?) And the third ip address is the up stream gateway ip??
> 
> > Each firewall provides masquerade NAT to downstream qubes. This means
> > that you can simply do the following:
> > firewall-vm0 : eth0 - 10.137.10.10
> > firewall-vm1 : eth0 - 10.137.10.100
> 
> I'm sure you can guess my next question. Those two ip addresses would be the 
> actual ip of the qubes. (sorry I have to be sure : )
> Essax
> Sent with [ProtonMail](https://protonmail.com) Secure Email.
> 
> > -------- Original Message --------
> > Subject: Re: [qubes-users] Sys-net with a 2 port NIC, how to allow/block 
> > interfaces?
> > Local Time: July 5, 2017 9:24 PM
> > UTC Time: July 6, 2017 1:24 AM
> > From: un...@thirdeyesecurity.org
> > To: Essax <es...@protonmail.com>
> > Google groups Qubes-users <qubes-users@googlegroups.com>
> > On Wed, Jul 05, 2017 at 08:08:02PM -0400, "Essax" via qubes-users wrote:
> >> I have laptop with a 2 port NIC. I would like to have 1 subset of appVMs 
> >> that are connected to sys-net to use the eth0 interface and the other 
> >> subset to use the eth1 interface. It is not possible to assign 1 port into 
> >> seperate sys-nets. I have tried that and only eth0 will function. Its also 
> >> my understanding that eth0 is the interface used between qubes. ( is this 
> >> wrong? ) If so would this prevent me from using iptables in firewall-vm1 
> >> to block traffic to the eth0 interface. That would block traffic to 
> >> sys-net as well (I think). The only solution I have come up with would be 
> >> to go to dom0 GUI --> appvm1---> edit VM firewall rules ---> allow 
> >> networks except 172.16.1.1/24 . This would not block traffic to the eth0 
> >> interface but it would prevent if from going any further than the 
> >> 172.16.1.1 pfsense interface. Then I could do the same for firewall-vm0 
> >> and block it from the 192.168.1.1 pfsense interface. Is there a better way 
> >> to do this with iptables.
> >> pfsense-----192.168.1.1/24------------eth1--------firewall-vm1--------appvm1
> >> sys-net
> >> pfsense-----172.16.1.1/24--------------eth0--------firewall-vm0--------VPN/proxyvm--------appvm0
> >>
> >> Thanks in advance
> >> Essax
> > I"m not sure what you mean by "eth0 is the interface used between
> > qubes". Each qube is attached to its upstream proxy, its eth0
> > connecting to a vifX interface on the proxy.
> > You can examine the IP addresses allocated to the qubes using
> > "qvm-ls -n".
> > On your proposal the downstream qubes would only be able to connect to
> > the networks attached to eth0 and eth1. This may be what you want. If
> > you want to connect to the net (or another network) via those connected
> > networks, there is an alternative.
> > Each firewall provides masquerade NAT to downstream qubes. This means
> > that you can simply do the following:
> > firewall-vm0 : eth0 - 10.137.10.10
> > firewall-vm1 : eth0 - 10.137.10.100
> > On sys-net-
> > iptables -I FORWARD -o eth0 -j DROP
> > iptables -I FORWARD -o eth1 -j DROP
> > iptables -I FORWARD -s 10.137.10.100 -o eth1 -j ACCEPT
> > iptables -I FORWARD -s 10.137.10.10 -o eth0 -j ACCEPT
> > Those rules explicitly block and allow traffic. You could combine into
> > one rule but this makes it clearer what is happening and will allow you
> > to track counters as traffic flows.
> > I think it"s neater than your proposal.
> > You"ll also want to keep the rules allowing established traffic back
> > though sys-net.
> > You can put these rules in to rc.local, and qubes-firewall-user-script,
> > as set out here:
> > www.qubes-os.org/doc/firewall
> > unman

So if you look at the top of the output you will see some helpful
headings.
The first address is that of eth0.
The second is the address used on vif interfaces to conenct downstream.
The third is the address of the upstream netvm, (and so will match the
2nd IP address of THAT qube)

In answer to your question, the IP adresses I have shown in example are
those of eth0 (1st in qvm-ls -n output) - all traffic going through the
firewall will appear on sys-net  to derive from this address, unless you
are doing something clever.
So yes, on sys-net put rules acting on those IP addresses.

Hope it's all clear now

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170707115037.jabgaaueo6kuq7ws%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to