Re: [qubes-users] Networking & firewall

2016-12-17 Thread Unman
On Sat, Dec 17, 2016 at 11:01:59AM +0100, Marc de Bruin wrote:
> Hi Jos,
> 
> > 
> > Can anyone point out some more reading material? If any?
> > 
> > Cheers!
> > Jos
> > 
> 
> I would like to know this as well! 
> 
> Anybody that would like to join and share? 
> 
> Thnx,
> 
> Greetz,
> Marc.
> 
> -- 

There isn't any additional reading material other than the pages Jos has
referenced, and list archives
But it is (relatively) straightforward,

- how much NATting is going on?

It's all NAT.
Look at the basic iptables rules in a netvm and you will see that all
downstream traffic is subject to NAT by MASQUERADE in the postrouting
table.

iptables -L -nv -t nat:
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
0 0 ACCEPT all  --  *  vif+0.0.0.0/0 0.0.0.0/0   
0 0 ACCEPT all  --  *  lo  0.0.0.0/0 0.0.0.0/0   
7   424 MASQUERADE  all  --  *  *   0.0.0.0/0 0.0.0.0/0 


- what role does proxy arp play? Is it still used in 3.2?
Yes, proxy arp has been re-enabled in 3.2. It isn't essential in most
use cases. 


To get to Jos's question re the chromecast:
There are two elements to this: getting the qube to see the chromecast
and allowing return traffic inbound.

You need to allow UDP traffic on high ports from the qube
You need to allow TCP outbound to (I think) 8008:8009
You need to allow UDP outbound to port 1900 on multicast
You need to allow  UDP traffic on high ports from the Chromecast to the
qube, so you will need to follow the guide on routing inbound traffic to
a qube.

There's no problem in using tcpdump and iptables on the firewall to see
what's going on. I tend to dump the traffic and then parse it on a
separate qube.
Judicious use of logging in iptables will help you see what's going on,
but there's enough here to get started I hope.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161217143853.GA32286%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Networking & firewall

2016-12-17 Thread Marc de Bruin
Hi Jos,

> 
> Can anyone point out some more reading material? If any?
> 
> Cheers!
> Jos
> 

I would like to know this as well! 

Anybody that would like to join and share? 

Thnx,

Greetz,
Marc.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/E64DF7C6-F41B-4A69-AA21-12E244B3BE77%40gmail.com.
For more options, visit https://groups.google.com/d/optout.