Re: [qubes-users] HTTP proxy & firewall woes
On Wed, Feb 21, 2018 at 06:42:44PM -0500, Demi M. Obenour wrote: > > > On 02/21/2018 04:59 PM, Demi M. Obenour wrote: > > > > On 02/21/2018 08:36 AM, awokd wrote: > >> On Wed, February 21, 2018 12:55 pm, Demi Obenour wrote: > >>> Weird. Proxy logs indicate that the proxy never receives a CONNECT > >>> request from Firefox. > >>> > >>> On Feb 21, 2018 4:08 AM, "awokd" wrote: > >>> > >>> > On Tue, February 20, 2018 5:09 pm, Demi M. Obenour wrote: > > > I use GMail and Thunderbird for email, and Firefox as my browser. I > > do email and GitHub from a different domain that is more trusted than > > others (it’s blue). > > > > > > > > I would love to restrict its networking abilities by using firewall > > rules or a filtering proxy. Sadly, I have not been able to do that > without > > breaking at least GMail. For firewall rules, the culprit seems to be > > Google’s use of DNS load balancing, but I am not sure what is > > breaking for the filtering proxy. OCSP stapling? > > > > I would much prefer to be able to restrict network access, but I > > cannot break what needs to work. Does anyone have suggestions? > Probably OCSP stapling like you said. Some filtering proxies can be > configured to pass through SSL/TLS sessions unmolested, but then they > can't filter them by content. You might also try POP3/SMTP vs. IMAP > although Gmail probably uses the same types of certs for both. > >> Assuming you're on R3.2, have you seen > >> https://www.qubes-os.org/doc/config/http-filtering-proxy ? > >> https://www.qubes-os.org/doc/firewall might also be useful if you're > >> having firewall issues. > >> > > I did, and finally figured out the problem: > > > > Thunderbird does not support SMTP/IMAP/POP3 over an HTTP proxy, only > > over a SOCKS proxy. But the latter is not useful in this case, because > > a SOCKS5 proxy receives an IP address, not a domain name, and so cannot > > filter by domain name. Furthermore, Google uses many, many IP > > addresses, and rotates them frequently, so one cannot usefully filter by > > IP address. > > > > I am going to be reporting this as a Thunderbird bug — the fix is to use > > a CONNECT request for SMTP/IMAP/POP3 just as is done for TLS. In the > > meantime, I have had no choice but to enable all networking for that > > domain. I still gain some security benefit, because Firefox and > > Thunderbird honor the HTTP proxy settings, and so I cannot accidentally > > browse to a dangerous site by mistake. > > > > I wonder if Evolution would be a better choice than Thunderbird. It > > might not have this bug. Does it have a worse history when it comes to > > security? > > > > Demi > I just had a further thought: could I work around this? My thought was > to use /etc/hosts to force Thunderbird to use a specific IP, then proxy > that IP using a trivial C program using libcurl. > > Demi > You could try whitelisting IMAP to google net ranges - get the SPF records using dig _netblocks.google.com txt I've tried the hosts entries, but it's pretty difficult to do this effectively given the somewhat opaque way that google will reroute traffic. You may as well sell your soul and use the blocks - 74.125.0.0/16 covers a good deal of gmail imap if i recall. At least you'll have some restrictions on outgoing traffic. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180222021719.m4h2nzkojyfzqirt%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] HTTP proxy & firewall woes
Evolution should work. It did have a bug back in 2012 but that was it from what I recall. Evolution also does not au5omatucally folliw gnomes setting and has its own. Open Evolution > Edit> Preferences > Network Prefences > you should see default proxy setting page with a link to open advanced setting. But in the basic page you have entries for http https and socks proxy config. Its been a long time but it should be there or close to it. I have found I enjoy Evolution over t-bird. Maybe its just the change but it seems smoother and not so heavy laiden. Firefox has also gotten chubby and away from its sleek roots as well. For max email effiency I find a terminal email app still has its place not to mention simplifies things. Mutt, Sup, Alpine. Sup is pretfy cool with its power and use of tags organization. Anyways hope that Evolution info is helpful. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e885a5d3-37e3-4945-8f32-23bb06c20b59%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] HTTP proxy & firewall woes
On 02/21/2018 04:59 PM, Demi M. Obenour wrote: > > On 02/21/2018 08:36 AM, awokd wrote: >> On Wed, February 21, 2018 12:55 pm, Demi Obenour wrote: >>> Weird. Proxy logs indicate that the proxy never receives a CONNECT >>> request from Firefox. >>> >>> On Feb 21, 2018 4:08 AM, "awokd" wrote: >>> >>> On Tue, February 20, 2018 5:09 pm, Demi M. Obenour wrote: > I use GMail and Thunderbird for email, and Firefox as my browser. I > do email and GitHub from a different domain that is more trusted than > others (it’s blue). > > > > I would love to restrict its networking abilities by using firewall > rules or a filtering proxy. Sadly, I have not been able to do that without > breaking at least GMail. For firewall rules, the culprit seems to be > Google’s use of DNS load balancing, but I am not sure what is > breaking for the filtering proxy. OCSP stapling? > > I would much prefer to be able to restrict network access, but I > cannot break what needs to work. Does anyone have suggestions? Probably OCSP stapling like you said. Some filtering proxies can be configured to pass through SSL/TLS sessions unmolested, but then they can't filter them by content. You might also try POP3/SMTP vs. IMAP although Gmail probably uses the same types of certs for both. >> Assuming you're on R3.2, have you seen >> https://www.qubes-os.org/doc/config/http-filtering-proxy ? >> https://www.qubes-os.org/doc/firewall might also be useful if you're >> having firewall issues. >> > I did, and finally figured out the problem: > > Thunderbird does not support SMTP/IMAP/POP3 over an HTTP proxy, only > over a SOCKS proxy. But the latter is not useful in this case, because > a SOCKS5 proxy receives an IP address, not a domain name, and so cannot > filter by domain name. Furthermore, Google uses many, many IP > addresses, and rotates them frequently, so one cannot usefully filter by > IP address. > > I am going to be reporting this as a Thunderbird bug — the fix is to use > a CONNECT request for SMTP/IMAP/POP3 just as is done for TLS. In the > meantime, I have had no choice but to enable all networking for that > domain. I still gain some security benefit, because Firefox and > Thunderbird honor the HTTP proxy settings, and so I cannot accidentally > browse to a dangerous site by mistake. > > I wonder if Evolution would be a better choice than Thunderbird. It > might not have this bug. Does it have a worse history when it comes to > security? > > Demi I just had a further thought: could I work around this? My thought was to use /etc/hosts to force Thunderbird to use a specific IP, then proxy that IP using a trivial C program using libcurl. Demi -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e79e2835-cf18-019f-0d51-439a7d4025d1%40gmail.com. For more options, visit https://groups.google.com/d/optout. 0xFF9C22C1.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [qubes-users] HTTP proxy & firewall woes
On 02/21/2018 08:36 AM, awokd wrote: > On Wed, February 21, 2018 12:55 pm, Demi Obenour wrote: >> Weird. Proxy logs indicate that the proxy never receives a CONNECT >> request from Firefox. >> >> On Feb 21, 2018 4:08 AM, "awokd" wrote: >> >> >>> On Tue, February 20, 2018 5:09 pm, Demi M. Obenour wrote: >>> I use GMail and Thunderbird for email, and Firefox as my browser. I do email and GitHub from a different domain that is more trusted than others (it’s blue). I would love to restrict its networking abilities by using firewall rules or a filtering proxy. Sadly, I have not been able to do that >>> without breaking at least GMail. For firewall rules, the culprit seems to be Google’s use of DNS load balancing, but I am not sure what is breaking for the filtering proxy. OCSP stapling? I would much prefer to be able to restrict network access, but I cannot break what needs to work. Does anyone have suggestions? >>> Probably OCSP stapling like you said. Some filtering proxies can be >>> configured to pass through SSL/TLS sessions unmolested, but then they >>> can't filter them by content. You might also try POP3/SMTP vs. IMAP >>> although Gmail probably uses the same types of certs for both. > Assuming you're on R3.2, have you seen > https://www.qubes-os.org/doc/config/http-filtering-proxy ? > https://www.qubes-os.org/doc/firewall might also be useful if you're > having firewall issues. > I did, and finally figured out the problem: Thunderbird does not support SMTP/IMAP/POP3 over an HTTP proxy, only over a SOCKS proxy. But the latter is not useful in this case, because a SOCKS5 proxy receives an IP address, not a domain name, and so cannot filter by domain name. Furthermore, Google uses many, many IP addresses, and rotates them frequently, so one cannot usefully filter by IP address. I am going to be reporting this as a Thunderbird bug — the fix is to use a CONNECT request for SMTP/IMAP/POP3 just as is done for TLS. In the meantime, I have had no choice but to enable all networking for that domain. I still gain some security benefit, because Firefox and Thunderbird honor the HTTP proxy settings, and so I cannot accidentally browse to a dangerous site by mistake. I wonder if Evolution would be a better choice than Thunderbird. It might not have this bug. Does it have a worse history when it comes to security? Demi -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/08a309c5-4f90-e7d4-dba1-f0211a8a0605%40gmail.com. For more options, visit https://groups.google.com/d/optout. 0xFF9C22C1.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [qubes-users] HTTP proxy & firewall woes
On Tue, February 20, 2018 5:09 pm, Demi M. Obenour wrote: > I use GMail and Thunderbird for email, and Firefox as my browser. I do > email and GitHub from a different domain that is more trusted than others > (it’s blue). > > > I would love to restrict its networking abilities by using firewall > rules or a filtering proxy. Sadly, I have not been able to do that without > breaking at least GMail. For firewall rules, the culprit seems to be > Google’s use of DNS load balancing, but I am not sure what is > breaking for the filtering proxy. OCSP stapling? > > I would much prefer to be able to restrict network access, but I cannot > break what needs to work. Does anyone have suggestions? Probably OCSP stapling like you said. Some filtering proxies can be configured to pass through SSL/TLS sessions unmolested, but then they can't filter them by content. You might also try POP3/SMTP vs. IMAP although Gmail probably uses the same types of certs for both. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/97cf05a7e9acd06309939ae804d054f6.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
[qubes-users] HTTP proxy & firewall woes
I use GMail and Thunderbird for email, and Firefox as my browser. I do email and GitHub from a different domain that is more trusted than others (it’s blue). I would love to restrict its networking abilities by using firewall rules or a filtering proxy. Sadly, I have not been able to do that without breaking at least GMail. For firewall rules, the culprit seems to be Google’s use of DNS load balancing, but I am not sure what is breaking for the filtering proxy. OCSP stapling? I would much prefer to be able to restrict network access, but I cannot break what needs to work. Does anyone have suggestions? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8eb2fda0-f6d6-11a5-b6bb-e457900d5e74%40gmail.com. For more options, visit https://groups.google.com/d/optout. 0xFF9C22C1.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature