Hi!
In the default firewall setup if a VM is restricted via UI using "Limit
outgoing Internet connections to ..." 2 rules are added before "drop all
packages":
[prompt]$ qvm-firewall vm
NO ACTION HOST PROTOCOL PORT(S)
SPECIAL TARGET ICMP TYPE EXPIRE COMMENT
0 accept www.qubes.org tcp 443 -
- - -
1 accept - - - dns
- - -
2 accept - icmp - -
- - -
Namely:
accept dns
and
accept icmp
1. Is my assumption correct that by that it's possible to exfiltrate data to
any destination server using dns/icmp?
2. What are practical solutions to mitigate that?
a) delete "accept dns/icmp" rules in the firewall and add the
corresponding IPs to the restricted domains/ips in /etc/hosts of the vm?
b) using pihole as dns resolver and restrict the access there?
c) more useful solutions?
Thanks, P
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/3add8367-8dec-0bee-82c4-9e64eaa3ef7c%40gmx.de.
