On 07/12/2017 06:46 AM, Connor Page wrote:
after testing the 3 existing solutions I think the official command line
solution is t he most strict and protected.
I just don't get it why "sleep 2" is outside if statement in
qubes-user-firewall-script. why block all vpn traffic for 2 seconds
every time vms connect to or disconnect from the VPN vm?
The iptables command using --gid-owner won't recognize a system group
immediately after the group is created, so a delay is necessary
(otherwise the rule will be refused). Delay is outside the 'if' because
rc.local and qubes-firewall run asynchronously to each other so it
seemed appropriate to have it wait for either case. Of course, if this
workaround fails in any way then traffic becomes blocked - so its safe.
You could get rid of the delay by adding the qvpn group to your template.
The gid-owner rule is there to satisfy an added requirement to block
unintended non-VPN traffic coming from the proxyVM itself; it is not the
main anti-leak feature (for downstream VMs).
BTW, I'm working on an update of the Qubes-VPN-support project (similar
scripting to the doc) that runs as a systemd service. New version will
have a simplified installer, which I will be posting in the next day or so:
https://github.com/tasket/Qubes-vpn-support
--
Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/4d76de3b-1dc5-586c-76d6-d614e0f041e0%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
