Re: [qubes-users] NetVM without firewall, no PING from outside?

[Unman]

On Thu, Feb 23, 2017 at 03:09:20AM -0800, Jarle Thorsen wrote:
> Unman:
> > Jarle - there are a few things you could do. One of them would be to
> > distribute a static route using your DHCP server -  implementing
> > a classless static route if your server supports it would be best. You
> > would need to put the external iface of the netVM as the gateway to the
> > internal 10.137.0.0/16 network. This won't be easy with DHCP unless you
> > put a reservation in place.
> > 
> > Alternatively you use proxy arp on the external interface of the netVM,
> > as you suggest. You don't need it on the vif interfaces because  you
> > have the relevant routing information in the netVM. (As you are
> > connecting qubes directly to the netVM these routes will be set up
> > automatically. You can check this with 'ip route' - If you DID use a
> > firewall you would need to add a static route on the netVM with the fw
> > as gateway to the qubes connected to it.)
> 
> So my local network is 10.0.0.0/16 and default GW for all DHCP clients 
> (including my NetVM) is 10.0.0.7
> 
> The dynamic IP of the NetVM might be 10.0.1.23. So if a client on my 
> "outside" network try to contact an AppVM (10.137.4.23 for example), will it 
> send an arp-request (letting arp_proxy do it's trick), or will it just send 
> the packet to default GW (who currently has no route to 10.137.4.0/24)?
> 

Doh, I've only just realised that your network is class B - so proxy arp
wont work as arp doesn't cross networks. Shouod have read nmore
carefully. Sorry to waste your time.

Yes, you're right - the packets will go to the default GW and you need
to have a route on there to the GW to the qubes - ie the IP of sys-net.
I still think that a better method would be to give out a route via DHCP
so all clients have that route, but it depends on you being able to do
classless static routing and using a DHCP reservation on sys-net.

Otherwise you need sys-net to broadcast a route which will be picked up
by the default GW on your 10.0/16 network.

cheers

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170223130320.GB18687%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] NetVM without firewall, no PING from outside?

[Jarle Thorsen]

Unman:
> Jarle - there are a few things you could do. One of them would be to
> distribute a static route using your DHCP server -  implementing
> a classless static route if your server supports it would be best. You
> would need to put the external iface of the netVM as the gateway to the
> internal 10.137.0.0/16 network. This won't be easy with DHCP unless you
> put a reservation in place.
> 
> Alternatively you use proxy arp on the external interface of the netVM,
> as you suggest. You don't need it on the vif interfaces because  you
> have the relevant routing information in the netVM. (As you are
> connecting qubes directly to the netVM these routes will be set up
> automatically. You can check this with 'ip route' - If you DID use a
> firewall you would need to add a static route on the netVM with the fw
> as gateway to the qubes connected to it.)

So my local network is 10.0.0.0/16 and default GW for all DHCP clients 
(including my NetVM) is 10.0.0.7

The dynamic IP of the NetVM might be 10.0.1.23. So if a client on my "outside" 
network try to contact an AppVM (10.137.4.23 for example), will it send an 
arp-request (letting arp_proxy do it's trick), or will it just send the packet 
to default GW (who currently has no route to 10.137.4.0/24)?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b83fefb7-774a-4e46-9ada-b66c75537799%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] NetVM without firewall, no PING from outside?

[Jarle Thorsen]

Manuel Amador (Rudd-O):
> Qubes-network-server takes care of this for you.

Yes, I know about Qubes-network-server, but I was hoping to get this working 
without requiring static IPs for AppVMs, and also better support for Windows 
VMs. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a1f5c9d0-196e-4d4c-8bc9-13d0420003fa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] NetVM without firewall, no PING from outside?

[Unman]

On Fri, Feb 17, 2017 at 06:01:14PM -0800, Manuel Amador (Rudd-O) wrote:
> Qubes-network-server takes care of this for you.
> 
> On February 14, 2017 2:02:18 AM PST, Jarle Thorsen  
> wrote:
> >> Unman:
> >> Thank you, it seems like using proxy arp is the way to go for me.
> >That way I can still use a dynamic address for my NetVM.
> >
> >I'm getting back to this thread, still haven't got everything working:
> >
> >My NetVM is connected to a local network 10.0.0.0/16, and gets a
> >dynamic IP via DHCP.
> >
> >AppVMs connect directly to the NetVM, without any firewall, and all
> >firewall rules has been removed from NetVM.
> >
> >All networking is now working fine, both between AppVMs and from AppVMs
> >and into the 10.0.0.0/16 network.
> >
> >Now I need to have the AppVMs available from the 10.0.0.0/16 network...
> >
> >Where do I need to enable arp_proxy to make this happen? Only on the
> >NetVM interface connected to the 10.0.0.0/16 network, or also on the
> >vif interfaces on the NetVM, or in the AppVMs also??
> >

This really isn't very helpful to someone who is trying to understand
what is happening. Perhaps the need for brevity prevented a fuller
answer. But just saying there's a tool, (although I understand your
wish to promote your software) isn't the way to go imo.

Jarle - there are a few things you could do. One of them would be to
distribute a static route using your DHCP server -  implementing
a classless static route if your server supports it would be best. You
would need to put the external iface of the netVM as the gateway to the
internal 10.137.0.0/16 network. This won't be easy with DHCP unless you
put a reservation in place.

Alternatively you use proxy arp on the external interface of the netVM,
as you suggest. You don't need it on the vif interfaces because  you
have the relevant routing information in the netVM. (As you are
connecting qubes directly to the netVM these routes will be set up
automatically. You can check this with 'ip route' - If you DID use a
firewall you would need to add a static route on the netVM with the fw
as gateway to the qubes connected to it.)

It may be that Rudd-0's tool will do this for you. I dont know.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170218210011.GA23277%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] NetVM without firewall, no PING from outside?

[Manuel Amador (Rudd-O)]

Qubes-network-server takes care of this for you.

On February 14, 2017 2:02:18 AM PST, Jarle Thorsen  
wrote:
>> Unman:
>> > I suggest you read the docs:
>> > www.qubes-os.org/doc/firewall  has a section on allowing traffic in
>to
>> > qubes.
>> 
>> Thank you for the link. It provided a good foundation.
>> 
>> > But this may not be what you want. It reads as if you want to have
>> > sys-net operating as a router. You can do this quite simply by
>changing
>> > the iptables configuration and using proxy arp to make sure that
>the
>> > external network sees the qubes behind the router.
>> > Alternatively you could use the netvm as a gateway to the network
>of
>> > qubes, and make sure that THAT route is propagated on your internal
>> > network.
>> 
>> Thank you, it seems like using proxy arp is the way to go for me.
>That way I can still use a dynamic address for my NetVM.
>
>I'm getting back to this thread, still haven't got everything working:
>
>My NetVM is connected to a local network 10.0.0.0/16, and gets a
>dynamic IP via DHCP.
>
>AppVMs connect directly to the NetVM, without any firewall, and all
>firewall rules has been removed from NetVM.
>
>All networking is now working fine, both between AppVMs and from AppVMs
>and into the 10.0.0.0/16 network.
>
>Now I need to have the AppVMs available from the 10.0.0.0/16 network...
>
>Where do I need to enable arp_proxy to make this happen? Only on the
>NetVM interface connected to the 10.0.0.0/16 network, or also on the
>vif interfaces on the NetVM, or in the AppVMs also??
>
>-- 
>You received this message because you are subscribed to the Google
>Groups "qubes-users" group.
>To unsubscribe from this group and stop receiving emails from it, send
>an email to qubes-users+unsubscr...@googlegroups.com.
>To post to this group, send email to qubes-users@googlegroups.com.
>To view this discussion on the web visit
>https://groups.google.com/d/msgid/qubes-users/382450c2-11c6-40dc-9bea-03840335c104%40googlegroups.com.
>For more options, visit https://groups.google.com/d/optout.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/FD0BEFAB-47FA-45D7-9CB6-7207675511A4%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] NetVM without firewall, no PING from outside?

[Jarle Thorsen]

Unman:
> I suggest you read the docs:
> www.qubes-os.org/doc/firewall  has a section on allowing traffic in to
> qubes.

Thank you for the link. It provided a good foundation.

> But this may not be what you want. It reads as if you want to have
> sys-net operating as a router. You can do this quite simply by changing
> the iptables configuration and using proxy arp to make sure that the
> external network sees the qubes behind the router.
> Alternatively you could use the netvm as a gateway to the network of
> qubes, and make sure that THAT route is propagated on your internal
> network.

Thank you, it seems like using proxy arp is the way to go for me. That way I 
can still use a dynamic address for my NetVM. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8cee4116-fa0b-46b1-9c88-d71aadf00b3b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.