Hopefully one day they revert it back to how it was in 3.2. A very common use-case for the firewall is likely to ensure things like DNS requests do not happen through the normal means (and instead go over something like Tor or a VPN). Unfortunately, the current config does not make it very obvious that someone should block DNS ports. Making it very easy for someone to shoot themselves in the foot because the interface is not intuitive (it says it blocks all traffic other than what is specified and then later modifies this saying "just kidding, we let DNS through")
-- Securely sent with Tutanota. Get your own encrypted, ad-free mailbox: https://tutanota.com Feb 14, 2019, 11:59 AM by [email protected]: > On Thursday, February 14, 2019 at 11:54:28 AM UTC, [email protected] wrote: > >> On Thursday, February 14, 2019 at 3:54:04 AM UTC, Marek Marczykowski-Górecki >> wrote: >> > -----BEGIN PGP SIGNED MESSAGE----- >> > Hash: SHA256 >> > >> > On Wed, Feb 13, 2019 at 08:42:10AM -0800, >> [email protected] >> > <mailto:[email protected]>>> wrote: >> > > In 3, if i clicked on "block connections" in the Qubes manager firewall >> > > section, there was (if memory serves me) an option to block DNS and >> > > ICMP. >> > > >> > > That is not present in R4 (though docs say you can disable DNS and ICMP >> > > manually) >> > > >> > > I'm just wondering what the logic behind the removal was? I would have >> > > thought that a general user who clicks "block connections" on Qube would >> > > not expect the qube to be able to actually send out and receive network >> > > packets such as DNS or ICMP. This presents information leakage scenarios >> > > (default DNS lookups of given qube) and also potential egress vectors if >> > > a qube is ever compromised (DNS tunnelling, ICMP tunnelling). >> > >> > Let me quote full text you can find on firewall tab there: >> > >> > NOTE: To block all network access, set Networking to (none) on the >> > Basic settings tab. This tab provides a very simplified firewall >> > configuration. All DNS requests and ICMP (pings) will be allowed. For >> > more granular control, use the command line tool qvm-firewall. >> > >> > There is clear message what to do if you want to cut the qube from the >> > network. >> > >> > - -- >> > Best Regards, >> > Marek Marczykowski-Górecki >> > Invisible Things Lab >> > A: Because it messes up the order in which people normally read text. >> > Q: Why is top-posting such a bad thing? >> > -----BEGIN PGP SIGNATURE----- >> > >> > iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxk5lQACgkQ24/THMrX >> > 1yzyBQf+ID5V7ema8i77kmTCnsWfNeSPUQnlTjuQbF1oNZJFNeAwAaqp3FLO+Ljt >> > Slj7e9KjbPYrxxuW40LIL05G78Yqs/MpZ1mA6/Yfy6J2tvoluucTFvatiHqiodO3 >> > HLqyRSehMXqqzKTHNrLrfLWWyz6ykbP/MmIw1zsxjcXj8RCNuEMc5F4qC6npluWN >> > cahMNcZLELo4PsrjzhqTrSr0BmlVLDQ5QLwoJGi8wSDGMEIDX3qvwq56wh6O0MgR >> > J780J043BcrIiAfZorrG+WfpLebkU9uSjmOENxcZQQwz2JmEdod9dU1vUEPSdBY1 >> > EKOq9FhCjMI6De6nNgiMf63Y47CxuQ== >> > =9dvG >> > -----END PGP SIGNATURE----- >> >> As I said, I understand the documentation is correct. thats not my question. >> My question is why was it removed as an option when the firewall box itself >> in network manager says "Deny network access except..." >> >> My point is it is counter intuitive. If it says "deny network access >> exccept..." then there is an expectation that it will deny network access >> except for what is specified. There used to be tick buttons (allow >> updates/allow ICMP/allow DNS), which made it clear on the granular control >> there - but were removed in R4. The underlying subsytems you can still do >> that, sure. >> >> Can I suggest that the wording "deny network access except..." is changed to >> "Deny TCP and UDP access except ..." for the avoidance of any doubt. >> > > > https://github.com/QubesOS/qubes-manager/pull/153 > <https://github.com/QubesOS/qubes-manager/pull/153> > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to > [email protected] > <mailto:[email protected]>> . > To post to this group, send email to > [email protected] > <mailto:[email protected]>> . > To view this discussion on the web visit > > https://groups.google.com/d/msgid/qubes-users/[email protected] > > <https://groups.google.com/d/msgid/qubes-users/39615092-155b-4f93-a418-95f7ff95c71f%40googlegroups.com>> > . > For more options, visit > https://groups.google.com/d/optout > <https://groups.google.com/d/optout>> . > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/LYgLnsM--3-1%40tutanota.com. For more options, visit https://groups.google.com/d/optout.
