Re: [qubes-users] Re: Safely set up a Qube to connect to only one IP address on the Internet
Don't know if this helps, but since October 2021 I've been using pfSense without any problems. I created an installation guide and script to automate the integration. https://github.com/jcholsap/freemod/issues/1#issue-1016495279 On Friday, July 30, 2021 at 9:40:06 AM UTC-4 unman wrote: > On Mon, Jul 26, 2021 at 08:09:52AM +, Michael Singer wrote: > > On Thu, Jul 17, 2021 at 12:29PM +0700, unman wrote> On Thu, Jul 15, 2021 > at 06:07:59PM +, Michael Singer wrote: > > >> On Thu, Jul 15, 2021 at 04:50:29PM +0700, unman wrote: > > >> > > >>> On Wed, Jul 14, 2021 at 04:35:42PM +, Michael Singer wrote: > > >> > > > > Would you let my Qube, which is supposed to connect to only one IP > address on > > the internet, be based on an extra firewall-vm? Would that more > secure? > > >> > > >>> You could do this: it would have one particular advantage, in that > you > > >>> could set custom rules in sys-net to restrict access from that > > >>> sys-firewall to the specified IP address. > > >> > > >> Do you have an example of the command line commands you use to set > such custom rules in an ordinary debian or fedora sys-net? > > > > > > Qubes uses NAT, so sys-net sees all traffic coming from the IP address > > > of sys-firewall. > > > If you new fw has IP - 10.137.0.200 > > > And target is 195.10.223.181 > > > > > > `nft insert rule filter FORWARD index 1 ip saddr 10.137.0.200 ip daddr > 195.10.223.181 tcp dport https accept` > > > `nft insert rule filter FORWARD index 2 ip saddr 10.137.0.200 drop` > > > > > > Would do it. > > > Adjust for your case, of course > > > > Many thanks, unman! This is well explained. Allow one more question: How > would you do the same if sys-net is based on a OpenBSD template? > > > > Best regards > > Michael Singer > > > > openBSD in Qubes - Excellent! > You would want something like: > pass out on dc0 proto tcp from 10.137.0.200 to 195.10.223.181 port 443 > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8a19c75b-cc29-475e-955a-05135a048203n%40googlegroups.com.
Re: [qubes-users] Re: Safely set up a Qube to connect to only one IP address on the Internet
On Mon, Jul 26, 2021 at 08:09:52AM +, Michael Singer wrote: > On Thu, Jul 17, 2021 at 12:29PM +0700, unman wrote> On Thu, Jul 15, 2021 at > 06:07:59PM +, Michael Singer wrote: > >> On Thu, Jul 15, 2021 at 04:50:29PM +0700, unman wrote: > >> > >>> On Wed, Jul 14, 2021 at 04:35:42PM +, Michael Singer wrote: > >> > > Would you let my Qube, which is supposed to connect to only one IP > address on > the internet, be based on an extra firewall-vm? Would that more secure? > >> > >>> You could do this: it would have one particular advantage, in that you > >>> could set custom rules in sys-net to restrict access from that > >>> sys-firewall to the specified IP address. > >> > >> Do you have an example of the command line commands you use to set such > >> custom rules in an ordinary debian or fedora sys-net? > > > > Qubes uses NAT, so sys-net sees all traffic coming from the IP address > > of sys-firewall. > > If you new fw has IP - 10.137.0.200 > > And target is 195.10.223.181 > > > > `nft insert rule filter FORWARD index 1 ip saddr 10.137.0.200 ip daddr > > 195.10.223.181 tcp dport https accept` > > `nft insert rule filter FORWARD index 2 ip saddr 10.137.0.200 drop` > > > > Would do it. > > Adjust for your case, of course > > Many thanks, unman! This is well explained. Allow one more question: How > would you do the same if sys-net is based on a OpenBSD template? > > Best regards > Michael Singer > openBSD in Qubes - Excellent! You would want something like: pass out on dc0 proto tcp from 10.137.0.200 to 195.10.223.181 port 443 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20210730134003.GF19478%40thirdeyesecurity.org.
Re: [qubes-users] Re: Safely set up a Qube to connect to only one IP address on the Internet
On Thu, Jul 17, 2021 at 12:29PM +0700, unman wrote> On Thu, Jul 15, 2021 at 06:07:59PM +, Michael Singer wrote: >> On Thu, Jul 15, 2021 at 04:50:29PM +0700, unman wrote: >> >>> On Wed, Jul 14, 2021 at 04:35:42PM +, Michael Singer wrote: >> Would you let my Qube, which is supposed to connect to only one IP address on the internet, be based on an extra firewall-vm? Would that more secure? >> >>> You could do this: it would have one particular advantage, in that you >>> could set custom rules in sys-net to restrict access from that >>> sys-firewall to the specified IP address. >> >> Do you have an example of the command line commands you use to set such >> custom rules in an ordinary debian or fedora sys-net? > > Qubes uses NAT, so sys-net sees all traffic coming from the IP address > of sys-firewall. > If you new fw has IP - 10.137.0.200 > And target is 195.10.223.181 > > `nft insert rule filter FORWARD index 1 ip saddr 10.137.0.200 ip daddr > 195.10.223.181 tcp dport https accept` > `nft insert rule filter FORWARD index 2 ip saddr 10.137.0.200 drop` > > Would do it. > Adjust for your case, of course Many thanks, unman! This is well explained. Allow one more question: How would you do the same if sys-net is based on a OpenBSD template? Best regards Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6dd537a2-854d-73fa-4d31-595a72638212%40posteo.de.
Re: [qubes-users] Re: Safely set up a Qube to connect to only one IP address on the Internet
On Thu, Jul 15, 2021 at 06:07:59PM +, Michael Singer wrote: > On Thu, Jul 15, 2021 at 04:50:29PM +0700, unman wrote: > > > On Wed, Jul 14, 2021 at 04:35:42PM +, Michael Singer wrote: > > >> > >> Would you let my Qube, which is supposed to connect to only one IP address > >> on > >> the internet, be based on an extra firewall-vm? Would that more secure? > > > You could do this: it would have one particular advantage, in that you > > could set custom rules in sys-net to restrict access from that > > sys-firewall to the specified IP address. > > Do you have an example of the command line commands you use to set such > custom rules in an ordinary debian or fedora sys-net? Qubes uses NAT, so sys-net sees all traffic coming from the IP address of sys-firewall. If you new fw has IP - 10.137.0.200 And target is 195.10.223.181 `nft insert rule filter FORWARD index 1 ip saddr 10.137.0.200 ip daddr 195.10.223.181 tcp dport https accept` `nft insert rule filter FORWARD index 2 ip saddr 10.137.0.200 drop` Would do it. Adjust for your case, of course > > >> In the Qube settings for the services there is the service > >> "disable-default-route". I have not found anything about what it does. In > >> my > >> case, would it be better to leave it on or turn it off? > > > man qvm-service - this service will remove the default gateway entry. So > > a qube would be able to access immediate neighbours but not step beyond. > > It's not what you want here. > > What are the immediate neighbors of a qube? Qubes that are connected - the netvm, or a qube for which *this* is the netvm. > > Can both a qube using the default route and a qube with the > disable-default-route service turned on access its immediate neighbors, or > only a qube with the disable-default-route service turned on? You can always access immediate neighbours, but will have to adjust the default firewall rules. Look at https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes > > In what situation is it useful for a qube to be able to access its immediate > neighbors? Explained on that page: most useful is file exchange with no Qubes tools installed, but also for testing network code, new pgp or ssh keys, etc. > > All the best > Michael > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20210717102948.GG419%40thirdeyesecurity.org.
[qubes-users] Re: Safely set up a Qube to connect to only one IP address on the Internet
On Thu, Jul 15, 2021 at 04:50:29PM +0700, unman wrote: > On Wed, Jul 14, 2021 at 04:35:42PM +, Michael Singer wrote: >> >> Would you let my Qube, which is supposed to connect to only one IP address on >> the internet, be based on an extra firewall-vm? Would that more secure? > You could do this: it would have one particular advantage, in that you > could set custom rules in sys-net to restrict access from that > sys-firewall to the specified IP address. Do you have an example of the command line commands you use to set such custom rules in an ordinary debian or fedora sys-net? >> In the Qube settings for the services there is the service >> "disable-default-route". I have not found anything about what it does. In my >> case, would it be better to leave it on or turn it off? > man qvm-service - this service will remove the default gateway entry. So > a qube would be able to access immediate neighbours but not step beyond. > It's not what you want here. What are the immediate neighbors of a qube? Can both a qube using the default route and a qube with the disable-default-route service turned on access its immediate neighbors, or only a qube with the disable-default-route service turned on? In what situation is it useful for a qube to be able to access its immediate neighbors? All the best Michael -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4f04a944-d8df-cfd8-106d-faf03798fc84%40posteo.de.
Re: [qubes-users] Re: Safely set up a Qube to connect to only one IP address on the Internet
On Wed, Jul 14, 2021 at 04:35:42PM +, Michael Singer wrote: > > On Wed, Jul 14, 2021 at 04:40:29, unman wrote: > > > Disable all unnecessary services in the qube - that means almost all of > > them. > > Where would you look for such services? Look to see what's running in the template/qube. > > Would you let my Qube, which is supposed to connect to only one IP address on > the internet, be based on an extra firewall-vm? Would that more secure? You could do this: it would have one particular advantage, in that you could set custom rules in sys-net to restrict access from that sys-firewall to the specified IP address. > > In the Qube settings for the services there is the service > "disable-default-route". I have not found anything about what it does. In my > case, would it be better to leave it on or turn it off? > man qvm-service - this service will remove the default gateway entry. So a qube would be able to access immediate neighbours but not step beyond. It's not what you want here. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20210715115023.GG20432%40thirdeyesecurity.org.
[qubes-users] Re: Safely set up a Qube to connect to only one IP address on the Internet
> On Wed, Jul 14, 2021 at 04:40:29, unman wrote: > Disable all unnecessary services in the qube - that means almost all of > them. Where would you look for such services? Would you let my Qube, which is supposed to connect to only one IP address on the internet, be based on an extra firewall-vm? Would that more secure? In the Qube settings for the services there is the service "disable-default-route". I have not found anything about what it does. In my case, would it be better to leave it on or turn it off? Thank you for your reply and all the best Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3b9f0c87-0df3-97ce-3337-37ed0e962706%40posteo.de.