Re: [qubes-users] Networking & firewall

2016-12-17 Thread Unman
On Sat, Dec 17, 2016 at 11:01:59AM +0100, Marc de Bruin wrote:
> Hi Jos,
> 
> > 
> > Can anyone point out some more reading material? If any?
> > 
> > Cheers!
> > Jos
> > 
> 
> I would like to know this as well! 
> 
> Anybody that would like to join and share? 
> 
> Thnx,
> 
> Greetz,
> Marc.
> 
> -- 

There isn't any additional reading material other than the pages Jos has
referenced, and list archives
But it is (relatively) straightforward,

- how much NATting is going on?

It's all NAT.
Look at the basic iptables rules in a netvm and you will see that all
downstream traffic is subject to NAT by MASQUERADE in the postrouting
table.

iptables -L -nv -t nat:
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
0 0 ACCEPT all  --  *  vif+0.0.0.0/0 0.0.0.0/0   
0 0 ACCEPT all  --  *  lo  0.0.0.0/0 0.0.0.0/0   
7   424 MASQUERADE  all  --  *  *   0.0.0.0/0 0.0.0.0/0 


- what role does proxy arp play? Is it still used in 3.2?
Yes, proxy arp has been re-enabled in 3.2. It isn't essential in most
use cases. 


To get to Jos's question re the chromecast:
There are two elements to this: getting the qube to see the chromecast
and allowing return traffic inbound.

You need to allow UDP traffic on high ports from the qube
You need to allow TCP outbound to (I think) 8008:8009
You need to allow UDP outbound to port 1900 on multicast
You need to allow  UDP traffic on high ports from the Chromecast to the
qube, so you will need to follow the guide on routing inbound traffic to
a qube.

There's no problem in using tcpdump and iptables on the firewall to see
what's going on. I tend to dump the traffic and then parse it on a
separate qube.
Judicious use of logging in iptables will help you see what's going on,
but there's enough here to get started I hope.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161217143853.GA32286%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Networking & firewall

2016-12-17 Thread Marc de Bruin
Hi Jos,

> 
> Can anyone point out some more reading material? If any?
> 
> Cheers!
> Jos
> 

I would like to know this as well! 

Anybody that would like to join and share? 

Thnx,

Greetz,
Marc.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/E64DF7C6-F41B-4A69-AA21-12E244B3BE77%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Networking & firewall

2016-12-11 Thread Jos Bredek
Hello there,

i'm relatively new to the qubes environment. So far, i'm really excited. I just 
love the concept!

Anyhow, today i stubmled into a problem; using my chromecast from one of my 
vm's within in qubes.

As a network-technician, my first thought.. this cant be hard. Boy, was i 
wrong. After quite some reading, i'm still puzzled. I've noticed that the 
netwerking & firewall document has the status TODO. Maybe something i can lend 
a little help with?

I've read the following posts:
https://groups.google.com/forum/#!searchin/qubes-users/inter-vm|sort:relevance/qubes-users/lA2SgPcV9fU/U969uapYAAAJ
https://www.qubes-os.org/doc/firewall/
http://theinvisiblethings.blogspot.nl/2011/09/playing-with-qubes-networking-for-fun.html
 (is this still valid?).

I get the general concept. 
- appVM's are connected to sys-firewall
- Sysfirewall is attached to sys-net
- no bridging involved, all routing.

But then:
- why are there subnets involved of 255.255.255.255?
- how much NATting is going on?
- what role does proxy arp play? Is it still used in 3.2?

Of course i can use wireshark and tcp dump to sort things out... but just maybe 
there is a good pointer to some other documentation? 

Can anyone point out some more reading material? If any?

Cheers!
Jos

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1e6e45a2-ec60-4d74-8af6-cfec00d86084%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.