Hi! In the default firewall setup if a VM is restricted via UI using "Limit outgoing Internet connections to ..." 2 rules are added before "drop all packages":
[prompt]$ qvm-firewall vm NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT 0 accept www.qubes.org tcp 443 - - - - 1 accept - - - dns - - - 2 accept - icmp - - - - - Namely: accept dns and accept icmp 1. Is my assumption correct that by that it's possible to exfiltrate data to any destination server using dns/icmp? 2. What are practical solutions to mitigate that? a) delete "accept dns/icmp" rules in the firewall and add the corresponding IPs to the restricted domains/ips in /etc/hosts of the vm? b) using pihole as dns resolver and restrict the access there? c) more useful solutions? Thanks, P -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3add8367-8dec-0bee-82c4-9e64eaa3ef7c%40gmx.de.