On 04/22/2018 12:52 PM, js...@bitmessage.ch wrote:
niepowie...@gmail.com:
I'm user of vpn bitmask software and accidentally, from time to time connection
disconnect and there is few second to connect again.
How is easiest way to set up firewall rules that prevent leaks with clear and
unencrypted traffic?
I'm pretty sure bitmask is supposed to block unencrypted connections
automatically when VPN connection drops (fail closed). The old version
of bitmask had problems when running in a qubes proxyVM (DNS leaks in
particular), but the new version in their debian stretch repo seemingly
fixes these problems. i'm not sure if not failing closed is still a
problem tho.
If you're running the most recent version of bitmask in a proxyVM and
it's not failing closed, maybe run it in the appVM instead? Others will
have to answer the firewall question tho because i don't know much about
that.
The regular release doesn't prevent leaks in Qubes proxyVMs, but the
next version will.
If you want to use bitmask in a proxyVM you can either download the
latest pre-release, or you can add a couple (internal) firewall rules to
the proxyVM in /rw/config/qubes-firewall-user-script:
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
Also, if you run bitmask just in individual appVMs (instead of proxyVM,
which shares the connection with some number of appVMs) then in that
situation it probably won't need Qubes-specific rules to prevent leaks.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/e81bac9a-411b-63a4-0ae9-a514738847cb%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
