On 11/11/2017 08:44 AM, Stumpy wrote:
I posted earlier about trying to limit traffic on some appvms and got
some helpful feedback about specific services but I am now thinking it
would be most useful to just see traffic leaving a appvm and then adding
rules based on that. problem is, i don't know how to view appvm network
traffic. Is there a command I could use or a log that I could look over
to help me with this? I would like to do this in both my fedora and deb
based vms.
I have a hack you might be interested in. It does not show you the
traffic but it will show you what is denied by the firewall, via
capturing the ICMP denied messages.
For some special VM's (email, boinc, untrusted, etc) where I want to
lock it down to just the essential services, I run this in a mode where
it echos the appropriate "qvm-firewall <VM> -add <hostip>/16" to the
console, where I will pick and choose to cut and paste the commands I
want to run into another dom0 terminal window. Once pasted you can edit
the command to refine how you want it to permit hosts or netblocks. The
default is /16 since the firewall is limited in how many entries it will
allow. Yes, its a hack, and it would not be safe to allow everything it
presents, but it works well enough for me.
> qvm-fwdenied -A -C 10 <vmname>
It is run from dom0 where it launches a tcpdump in the VM you are
interested in, and will capture -C <N> packets and then return. It
collects N packets and returns to process them, so it can miss packets
when it is not in tcpdump mode. If an ICMP denied event occurs it will
compose the qvm-firewall command to permit that host, but it will not
run it for you. You need to decide what is permitted.
I generally run it to investigate why an application is not working
correctly in an intentionally locked down VM, as this is generally
faster than launching wireshark and collecting/filtering the traffic
flow. If what you really want is to just see the traffic flow then open
wireshark in the same way and let it run. If your goal is to simply
manage what the VM connects to then you might be able to hack my script
to get what you want.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/c2001b5a-784a-6a7c-87ca-98f2545e772b%40jhuapl.edu.
For more options, visit https://groups.google.com/d/optout.
#!/usr/bin/python2
# -*- encoding: utf8 -*-
from qubes.qubes import QubesVmCollection
from qubes.qubes import QubesHost
from qubes.qubes import QubesException
from optparse import OptionParser
import subprocess
import sys
import os
import re
import glob
import logging
import logging.handlers
from datetime import datetime
import time
import traceback
LOG_FILENAME = '/var/tmp/qvm-fwdenied.log'
def main():
usage = "usage: %prog [-A] [-C n] <vm-name>"
parser = OptionParser (usage)
parser.add_option ("-A", "--allowlist",
action="store_true",
dest="generate_allow_list",
default=[False],
help="generage allow list for firewall")
parser.add_option ("-R", "--repeat",
action="store_true",
dest="repeat_mode",
default=[False],
help="repeat continuously until ^C")
parser.add_option ("-C", "--count",
type="int",
dest="packet_count",
default=[200],
help="return after N packets received")
(options, args) = parser.parse_args ()
#print args
if len(args) != 1 :
print 'vm name not provided'
sys.exit(0)
#print args
vm = args[0]
my_logger = logging.getLogger('MyLogger')
my_logger.setLevel(logging.INFO)
handler =
logging.handlers.RotatingFileHandler(LOG_FILENAME,maxBytes=200000,backupCount=5)
my_logger.addHandler(handler)
my_logger.info('')
nowstring = str(datetime.now())
my_logger.info('qvm-fwdenied started:' + nowstring)
packets = options.packet_count
cmd = 'qvm-run -a --pass-io -u root ' + vm + ' "tcpdump -f -c ' +
str(packets) + '"'
my_logger.info(cmd)
if options.repeat_mode :
my_logger.info('repeat mode on')
print 'repeat mode enabled'
looping = True
try:
while looping:
process =
subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE)
out, err = process.communicate()
errcode = process.returncode
hosts = set()
dom0_updated = False
needs_restart = False
for line in out.split('\n'):
my_logger.info(line)
if re.search('^$',line):
continue
if re.search('admin prohibited',line):
tokens = line.rsplit(' ')
host = tokens[7]
hosts.add(host)
if options.generate_allow_list == True:
for host in hosts:
addCmd = 'qvm-firewall ' + vm + ' -add ' + host + '/16 any'
print addCmd
my_logger.info(addCmd)
else:
for host in hosts:
print host
if errcode != 0:
print "Error:" + str(errcode)
print err
my_logger.info(['Error:' + str(errcode)])
my_logger.info(err)
sys.exit(1)
if not options.repeat_mode :
looping = False
#else:
# print str(datetime.now())
except KeyboardInterrupt:
print ""
print "Shutdown requested"
cmd = 'qvm-run -a --pass-io -u root ' + vm + ' "killall tcpdump"'
process =
subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE)
out, err = process.communicate()
errcode = process.returncode
print out + ' ' + err
except Exception:
traceback.print_exec(file=sys.stdout)
sys.exit(1)
print ''
my_logger.info('done logging')
sys.exit(0)
main()