Re: [qubes-users] Logging Drop Packets
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/9/19 2:58 AM, unman wrote: > Why do you say this? It's far from my experience. > > If you use a minimal Debian template for firewall, then there are > only iptables rules. It's trivial in that case to add logging. You > can also implement this by use of appropriate scripts in rc.local > and /rw/config if you want logging from the start. Well, these are the hardcoded rules used by Qubes: > Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target > prot opt in out source destination 2160K > 1969M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > ctstate RELATED,ESTABLISHED 28727 2456K QBS-FORWARD all -- * > * 0.0.0.0/00.0.0.0/0 0 0 DROP all -- > vif+ vif+0.0.0.0/0 0.0.0.0/0 28727 2456K ACCEPT all -- > vif+ * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * > * 0.0.0.0/0 0.0.0.0/0 As the logging in iptables is implemented as a separate jump target, and you can only have one jump target in a rule, so if you want to log something, you have to create 2 similar rules with the same filters, but with different actions, as you need to place the logging rule first, then your desired action just after the logging rule. right? However iptables rules can be easily added only in front of the current rules, or after all the existing rules. If you want to add something in between, you have to calculate the rule numbers - which is far from trivial. So one option is to replace the whole ruleset by your own, however you have to be compatible with the qubes solution otherwise you loose the default features. Or you have to parse the qubes generated rules, and insert the logging ones as you need. "log everything" is just simply not implemented in iptables, because to get meaningful logs, you need to use the log-prefix to see if the logged packet going to be dropped/accepted/rejected in the next rule. logging just the default drops at the end of the FORWARD chain, might be easier, as you just have to modify the hardcoded default ruleset. > I find the Qubes firewall very customisable, and relatively easy to > manipulate as needed. Well, I wouldn't call it customisable, as you have to choose between the very basic features of the qubes provided firewall implementation, OR you need to create your custom solution. Not to mention the "always there" style of the DNS NAT, and the ICMP traffic... By using nftables it would be a lot easier. The main confusion if booth are in place, which is a not recommended way. And you most likely have to place rules using booth framework... So I really not sure why would we need both? - -- Laszlo Zrubecz -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAlyF/+EACgkQVjGlenYH FQ1ULw//Wn495vvTHegT9QK5B79MepEHA1TAPQIIZEKsU51uMckKv599eXCoShWu G7rX1Ih25xwukE7tYYxvAdwUOnyOfTWSCBHxZLUGMAbOP8gC3q+2B6r/zO9UfQcC Kr3T6dTPS5JyVw75iPWlCXVgZU8fC6nYqGzdq17EBXlSEzWij11wDawvKiO9XFbt YwsGgSYPxidMVlvnxztTf3SsQRCspOMXtm6mpTHWIyHzXlt1JE+x1EgpJoBS7zz0 lawxv8FcJMtBImaM4RMsVYF5tKEqeLGPqCwhdiB8YIkJNnufHypVw3oU8QSz/dge /q1B/R1ehvEcqEuIgFuO4Kk24nOr+BbSeg+cVa+3v95r+lPzUc+YdamNEZswXoSp CohnGaT4zY9zntBoOFPmJdSDniGCJ7rormZoNlVSj+0lRoywAHAkkJg4vBAm52O7 Tt77R+WpicVoEREqAKkOEN0LXBv4rGTRRGQA+zLBz+y9VgmqjKOp1SYTKMZmJNg9 zoXpzEMVBTR4s9oGyidFCuJUWFIbkg0HnqppOeljoyc7FHzWGa+ERmWwABefJZpr hzHFf/2fVM9bs2vH8e4YMZMWpS2/CUrC/XQe+ClfcchXwcdEmTGMC1bwkjOrboj0 N7EF+JHJQDUdbcKQj30a2Wx8uEH2rVeCLhJtpLZVB6ORatbum5M= =JMQb -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0125d06c-c6e4-a6ba-d51d-c9cd0d6f4802%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Logging Drop Packets
On Sun, Mar 10, 2019 at 07:35:32AM -0700, cmsch...@gmail.com wrote: > Hi All - > > I think I got what I needed on my own. It just took a bit more reading about > the Qubes Firewall to figure out where to put the logging line. I was really > just looking to monitor outgoing traffic to see what rules I needed to add to > allow. > > I do have one other question though.. Where are the rules that get added in > the Qubes-GUI added and/or how does qvm-firewall fit into the > equation? I can add rules into the qubes-gui, but I can't see to find the > rules anywhere? > > Thanks in advance. > > Btw, thanks for the xenial install, unman.. > When you set rules in the GUI, or using qvm-firewall, the rules are set in the proxyVM next hop up, i.e. the netvm for the qube for which you are setting firewall rules. The rules will be set as iptables OR as nftables, depending on what is available in the proxyVM. You can see them using 'iptables -L -nv', or, if you have nftables, 'nft list table qubes-firewall'. If you have any comments on the xenial template, please pass them on. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190311004415.aoovgichylnubqja%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Logging Drop Packets
Hi All - I think I got what I needed on my own. It just took a bit more reading about the Qubes Firewall to figure out where to put the logging line. I was really just looking to monitor outgoing traffic to see what rules I needed to add to allow. I do have one other question though.. Where are the rules that get added in the Qubes-GUI added and/or how does qvm-firewall fit into the equation? I can add rules into the qubes-gui, but I can't see to find the rules anywhere? Thanks in advance. Btw, thanks for the xenial install, unman.. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c3aa596b-7230-4e5f-9fc5-8b9da56096af%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Logging Drop Packets
On Sat, Mar 09, 2019 at 01:23:03PM +0100, David Hobach wrote: > On 3/9/19 2:58 AM, unman wrote: > > On Fri, Mar 08, 2019 at 08:07:46PM +0100, Zrubi wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > > Hash: SHA256 > > > > > > On 3/8/19 3:28 PM, cmsch...@gmail.com wrote: > > > > I'm trying to setup an appvm like this: > > > > > > > > appvm -> appvm_firewall -> vpn -> vpn_firewall -> sys-net > > > > > > > > I want to tighten the firewall rules and do a deny policy. How can > > > > I get a log of dropped firewall packet logs from appvm_firewall or > > > > vpn_firewall? I've tried a few different iptables commands but I > > > > haven't really had any success. > > From my point of view the "Qubes way" of doing this would be something like > appvm -> logging VM -> appvm_firewall -> vpn -> vpn_firewall -> sys-net > > You can accomplish this in a rather straightforward way by using a proxy VM > with your preferred logging mechanism (sflow, iptables, tcpdump, some IDS, > ...). Alo see [1], "Network service qubes". > > For iptables you'd require at least one rule in that proxy VM which enables > logging. It should be stored inside /rw/config/rc.local [1]. > > If you're looking for drops only, this is somewhat more complicated because > with the above, you'd just log everything. > You can however do filtering or log only ICMP replies (Qubes will send an > ICMP reply on rejected packages) and/or TCP handshakes that weren't > completed. > > Of course you can also go with the other proposal by unman and modify the > Qubes firewall inside appvm_firewall. This however has the various drawbacks > mentioned inside [1], "Network service qubes". Mistakes there can be costly > even if the modification is rather easy for advanced users. > > [1] https://www.qubes-os.org/doc/firewall/ > I don't think this would be "a rather straightforward way". The reason is, of course, that using a proxyVM, would mean that packets would be masqueraded when they reach appvm_firewall, so that appropriate rules would not be set. Also, of course, the native Qubes firewall structure would not apply. I'm not saying that such a set-up could not be effected, but it would not be straightforward and would require manual setting of forwarding *and* firewall rules. On balance, I continue to think that it would be easier to place logging rules in the appvm_firewall and vpn_firewall. If op comes back and provides details of what rules they have, and what they want to test, we could make some progress. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190310012750.gzh2z75q6nv6cjdh%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Logging Drop Packets
On 3/9/19 2:58 AM, unman wrote: On Fri, Mar 08, 2019 at 08:07:46PM +0100, Zrubi wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/8/19 3:28 PM, cmsch...@gmail.com wrote: I'm trying to setup an appvm like this: appvm -> appvm_firewall -> vpn -> vpn_firewall -> sys-net I want to tighten the firewall rules and do a deny policy. How can I get a log of dropped firewall packet logs from appvm_firewall or vpn_firewall? I've tried a few different iptables commands but I haven't really had any success. From my point of view the "Qubes way" of doing this would be something like appvm -> logging VM -> appvm_firewall -> vpn -> vpn_firewall -> sys-net You can accomplish this in a rather straightforward way by using a proxy VM with your preferred logging mechanism (sflow, iptables, tcpdump, some IDS, ...). Alo see [1], "Network service qubes". For iptables you'd require at least one rule in that proxy VM which enables logging. It should be stored inside /rw/config/rc.local [1]. If you're looking for drops only, this is somewhat more complicated because with the above, you'd just log everything. You can however do filtering or log only ICMP replies (Qubes will send an ICMP reply on rejected packages) and/or TCP handshakes that weren't completed. Of course you can also go with the other proposal by unman and modify the Qubes firewall inside appvm_firewall. This however has the various drawbacks mentioned inside [1], "Network service qubes". Mistakes there can be costly even if the modification is rather easy for advanced users. [1] https://www.qubes-os.org/doc/firewall/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/65515e35-36ee-b333-54f7-6b36e3a8b6bd%40hackingthe.net. For more options, visit https://groups.google.com/d/optout. smime.p7s Description: S/MIME Cryptographic Signature
Re: [qubes-users] Logging Drop Packets
Als with so many vms in Qubes its just not practical. Maybe something in this thread will help you. I gave up myself. https://groups.google.com/forum/#!msg/qubes-users/RsptaCZLDnc/NqZegFafKQAJ;context-place=topic/qubes-users/MUIxSRy-jbc -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fafa8afb-c948-40ae-b037-c9bafa2e7015%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Logging Drop Packets
Als with so many vms in Qubes its just not practical. Maybe something in this thread will help you. https://groups.google.com/forum/#!msg/qubes-users/RsptaCZLDnc/NqZegFafKQAJ;context-place=topic/qubes-users/MUIxSRy-jbc -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6a484f10-fc94-4090-bd5a-4e4e1dece495%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Logging Drop Packets
I use to log everything in linux with iptables. outoing and incoming. Alot of linux users to say that practice uses too much hdd or space, which was simply not true when limiting rates. Then I would use programs to parse it and eyeball it myself. But in Qubes its just not possible. Those scripts will only log some things not everything, and even then its too complicated. Was one of the biggest gripes I had when first using Qubes. I want to know what every connection is doing at all times. ITL believes that you would never really find an attacker by doing these things, but I've begged to differ. But I do agree you definitely won't be stopping one. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/278eb189-9939-40f3-9776-32b9bdcab7c7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Logging Drop Packets
I use to log everything in linux before using Qubes. In Qubes its just not possible. Those scripts will only log some things not everything. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b07f4a9e-2e0d-4cc6-9f31-5c0d4f5a34c6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Logging Drop Packets
On Fri, Mar 08, 2019 at 08:07:46PM +0100, Zrubi wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 3/8/19 3:28 PM, cmsch...@gmail.com wrote: > > I'm trying to setup an appvm like this: > > > > appvm -> appvm_firewall -> vpn -> vpn_firewall -> sys-net > > > > I want to tighten the firewall rules and do a deny policy. How can > > I get a log of dropped firewall packet logs from appvm_firewall or > > vpn_firewall? I've tried a few different iptables commands but I > > haven't really had any success. > > unfortunately, the Qubes firewall do not support any kind of custom > rules, including logging. > > Moreover it is using a mixed set of iptables and nftables which makes > it much more complicated. > > > I had a proposal about this exact issue before, by extending the > action with the log type of rules, but as I do not have time to check > and/or implement it, I guess it is just dropped. > > Now if you want this feature, you have to replace the whole default > firewall set, which is not trivial. > > - -- > Zrubi Why do you say this? It's far from my experience. If you use a minimal Debian template for firewall, then there are only iptables rules. It's trivial in that case to add logging. You can also implement this by use of appropriate scripts in rc.local and /rw/config if you want logging from the start. Where the firewall is implemented using a nftables qubes-firewall, then its even easier to add logging by prepending the instruction as needed in reject rules. You can do this easily for test logging, (which is what cmschube wants), by adding the rule manually, but it's also possible to script it to add logging as new chains are added. I find the Qubes firewall very customisable, and relatively easy to manipulate as needed. Let's see if we can get a working solution that OP can use. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190309015853.ss4hy7kno7yz57x5%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Logging Drop Packets
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/8/19 3:28 PM, cmsch...@gmail.com wrote: > I'm trying to setup an appvm like this: > > appvm -> appvm_firewall -> vpn -> vpn_firewall -> sys-net > > I want to tighten the firewall rules and do a deny policy. How can > I get a log of dropped firewall packet logs from appvm_firewall or > vpn_firewall? I've tried a few different iptables commands but I > haven't really had any success. unfortunately, the Qubes firewall do not support any kind of custom rules, including logging. Moreover it is using a mixed set of iptables and nftables which makes it much more complicated. I had a proposal about this exact issue before, by extending the action with the log type of rules, but as I do not have time to check and/or implement it, I guess it is just dropped. Now if you want this feature, you have to replace the whole default firewall set, which is not trivial. - -- Zrubi -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAlyCvXsACgkQVjGlenYH FQ0wmA/+MIoylSBSYbkrztGdPdJTlCGN83cnE9+xnuv/oE3dPXai0r7jKSVCxqq+ bZqLXVFh32O/hBZQKlpV3dGmU9q1ZPYys/S6NZl2WW1pGQ/+zdrrC1wHSQtVIoB7 AuuFpIU088QFvY6J0Vw8QlQWMKgx26/PlP0i6qHIZR8Vc7SwpUqcMcrv36E5DGwA YZ59Cq9i2IsUgiirPzCtmz5jL7OsQqcOS5cGKqtFhfu5YqYQMhnED98EvlaAqP9l HD23klqSWWpDyJsQ9TY1NvdEENwf6hwKGV3J2T0tRdVCvOXjrcfgbp+KCCc7WAGL mXkBSv6TjRPJiAwI4kpn5fCj2Z+j8FQjGaDNoTUBFoOp9a1MJs9XBc5m9qAxIv3S ua2HxTCnwlH8twHE66bdBtCX+Izd+MJbFwrBuVll7f/G8gF2crVrj/ipu2vd4/0v wc7qKjoIQ1YayKgB4J9iRr3XNNKgJ9XF7TYPFFodYaPXUNYtxRzrU/H+02yIdyoJ ZZ3MPc6hC2cC8eXmx9ke3zXaXnSifh8l6r6vCk60eW5nCf1TxE1mwYH1cZaKPIhO SvuTf3RCcFB5PIVbyPuRjjcaKUgFZco634GlZj1bbOIbLeXtqe2FfcjLUUajoXMh 7iLtJxvn9nv2mxBxv6xHT2lOMyVbTbxMt+7pkXti8jMguxUMB0I= =WqkH -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/09b8ae77-c1fa-e79c-b02e-fc4a939ced8c%40zrubi.hu. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Logging Drop Packets
On Fri, Mar 08, 2019 at 06:28:51AM -0800, cmsch...@gmail.com wrote: > I'm trying to setup an appvm like this: > > appvm -> appvm_firewall -> vpn -> vpn_firewall -> sys-net > > I want to tighten the firewall rules and do a deny policy. How can I get a > log of dropped firewall packet logs from appvm_firewall or vpn_firewall? I've > tried a few different iptables commands but I haven't really had any success. > > Thanks in advance. > Depends whether you have a "DROP" policy set or a final rule that says "-j DROP" In iptables, have a rule immediately BEFORE that rule( so if policy, have it as last rule, otherwise, penultimate). iptables -j LOG --log-prefix "DROP " You can put this in any firewall chain. You could make it more complex by creating a log/drop chain and breaking down the descriptors, but I doubt that is necessary in this case. If you are using nftables, (check in your sys-firewall), then you can get the same effect by adding to your DROP statement. You don't need a separate rule for this. HTH unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190308165127.324vdae5jf6zmib3%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Logging Drop Packets
I'm trying to setup an appvm like this: appvm -> appvm_firewall -> vpn -> vpn_firewall -> sys-net I want to tighten the firewall rules and do a deny policy. How can I get a log of dropped firewall packet logs from appvm_firewall or vpn_firewall? I've tried a few different iptables commands but I haven't really had any success. Thanks in advance. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3bed1d69-7fc4-48db-869e-16011f1197ef%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.