Re: [qubes-users] Not using firewall rules correctly?

2017-05-30 Thread cooloutac 
On Saturday, May 20, 2017 at 9:43:52 AM UTC-4, Gaiko wrote:
> On Tuesday, May 9, 2017 at 9:53:30 PM UTC-4, cooloutac wrote:
> > On Monday, May 1, 2017 at 10:53:04 PM UTC-4, Gaiko wrote:
> > > On Mon, May 1, 2017 at 10:47 PM, Gaiko Kyofusho  
> > > wrote:
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > On Sat, Apr 29, 2017 at 6:45 PM, Unman wrote:
> > > On Sat, Apr 29, 2017 at 06:13:46PM -0400, Gaiko Kyofusho wrote:
> > > 
> > > > Thanks, I looked up about host files, and found the
> > > 
> > > > github.com/StevenBlack/hosts file which is handy but what I am still a 
> > > > bit
> > > 
> > > > confused about is where to put it. The reason I assumed dom0 before was 
> > > > I
> > > 
> > > > thought anything put in /etc/ would be erased on reboot which seems to 
> > > > be
> > > 
> > > > happening, is there someway around this or perhaps I should be putting 
> > > > it
> > > 
> > > > in the template?
> > > 
> > > >
> > > 
> > > 
> > > 
> > > You can put the file in /rw/config, and then in /rw/config/rc.local
> > > 
> > > include:
> > > 
> > > cat /rw/config/hosts >> /etc/hosts
> > > 
> > > Or you can use bind-dirs to make /etc/hosts survive a reboot.
> > > 
> > > 
> > > 
> > > 
> > > Thanks. I am not sure how to bind dirs but I understand putting the file 
> > > in the config dir and cat'ing it into /etc/hosts... but since those are 
> > > write protected dirs would the rc.local execute those commands as root 
> > > (or su or sudo not sure about the terminology here)? I ask because when i 
> > > try:
> > > 
> > > 
> > > 
> > > source rc.local 
> > > 
> > > 
> > > it gives me permission denied errors, I tried adding "sudo" in front but 
> > > that didn't seem to help?
> > > 
> > > 
> > > 
> > > oops, sent prematurly. When I try to restart the vm, then go into the 
> > > terminal and:
> > > less /etc/hosts
> > > 
> > > 
> > > it still seems to be the origonal and not updated hosts?
> > 
> > to filter http is a pain.  I use lists from iblocklist.com in peerguardian 
> > on debian vm.  so you can use mouse to temp allow stuff sometimes. it 
> > blocks like between 2 and 3 mil ip addresses.  only ipv4 though and 
> > probalby some overlap.  I disable ipv6 in grub.  but you have to not use 
> > the pc or have crazy discipline.
> 
> So when you say in a debian vm, do you happen to mean as a debian vm via 
> proxy? Like in the middle of your vm?
> 
> Slightly off topic but would sites "see" host files or peergaurdian (ie 
> blocking but not at the browser level) as blocking? Some sites give you guff 
> about blocking and there is also the privacy aspect of making ones self even 
> more unique.
> 
> thx!

you can put it in a proxy too.  I wouldn't trust it in anything trusted or 
sensitive.

Some sites do give a warning, but its rare.  Usually,  something on a site just 
doesn't work or load till you allow something.  To filter all these scripts and 
ips from websites really isn't that practical.  I'm a little nuts too cause I 
only temp allow stuff 90% of the time.  The use is similar to noscript, but for 
ips.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/829f0ca9-8a89-407c-8194-b38634df4091%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Not using firewall rules correctly?

2017-05-20 Thread Gaiko 
On Tuesday, May 9, 2017 at 9:53:30 PM UTC-4, cooloutac wrote:
> On Monday, May 1, 2017 at 10:53:04 PM UTC-4, Gaiko wrote:
> > On Mon, May 1, 2017 at 10:47 PM, Gaiko Kyofusho  
> > wrote:
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > On Sat, Apr 29, 2017 at 6:45 PM, Unman wrote:
> > On Sat, Apr 29, 2017 at 06:13:46PM -0400, Gaiko Kyofusho wrote:
> > 
> > > Thanks, I looked up about host files, and found the
> > 
> > > github.com/StevenBlack/hosts file which is handy but what I am still a bit
> > 
> > > confused about is where to put it. The reason I assumed dom0 before was I
> > 
> > > thought anything put in /etc/ would be erased on reboot which seems to be
> > 
> > > happening, is there someway around this or perhaps I should be putting it
> > 
> > > in the template?
> > 
> > >
> > 
> > 
> > 
> > You can put the file in /rw/config, and then in /rw/config/rc.local
> > 
> > include:
> > 
> > cat /rw/config/hosts >> /etc/hosts
> > 
> > Or you can use bind-dirs to make /etc/hosts survive a reboot.
> > 
> > 
> > 
> > 
> > Thanks. I am not sure how to bind dirs but I understand putting the file in 
> > the config dir and cat'ing it into /etc/hosts... but since those are write 
> > protected dirs would the rc.local execute those commands as root (or su or 
> > sudo not sure about the terminology here)? I ask because when i try:
> > 
> > 
> > 
> > source rc.local 
> > 
> > 
> > it gives me permission denied errors, I tried adding "sudo" in front but 
> > that didn't seem to help?
> > 
> > 
> > 
> > oops, sent prematurly. When I try to restart the vm, then go into the 
> > terminal and:
> > less /etc/hosts
> > 
> > 
> > it still seems to be the origonal and not updated hosts?
> 
> to filter http is a pain.  I use lists from iblocklist.com in peerguardian on 
> debian vm.  so you can use mouse to temp allow stuff sometimes. it blocks 
> like between 2 and 3 mil ip addresses.  only ipv4 though and probalby some 
> overlap.  I disable ipv6 in grub.  but you have to not use the pc or have 
> crazy discipline.

So when you say in a debian vm, do you happen to mean as a debian vm via proxy? 
Like in the middle of your vm?

Slightly off topic but would sites "see" host files or peergaurdian (ie 
blocking but not at the browser level) as blocking? Some sites give you guff 
about blocking and there is also the privacy aspect of making ones self even 
more unique.

thx!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/eeea1d26-e628-4f35-ba65-00d599a333b3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Not using firewall rules correctly?

2017-05-20 Thread Gaiko 
On Tuesday, May 2, 2017 at 1:03:18 AM UTC-4, Drew White wrote:
> On Tuesday, 2 May 2017 12:53:04 UTC+10, Gaiko  wrote:
> > On Mon, May 1, 2017 at 10:47 PM, Gaiko Kyofusho  
> > wrote:
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > On Sat, Apr 29, 2017 at 6:45 PM, Unman wrote:
> > On Sat, Apr 29, 2017 at 06:13:46PM -0400, Gaiko Kyofusho wrote:
> > 
> > > Thanks, I looked up about host files, and found the
> > 
> > > github.com/StevenBlack/hosts file which is handy but what I am still a bit
> > 
> > > confused about is where to put it. The reason I assumed dom0 before was I
> > 
> > > thought anything put in /etc/ would be erased on reboot which seems to be
> > 
> > > happening, is there someway around this or perhaps I should be putting it
> > 
> > > in the template?
> > 
> > >
> > 
> > 
> > 
> > You can put the file in /rw/config, and then in /rw/config/rc.local
> > 
> > include:
> > 
> > cat /rw/config/hosts >> /etc/hosts
> > 
> > Or you can use bind-dirs to make /etc/hosts survive a reboot.
> > 
> > 
> > 
> > 
> > Thanks. I am not sure how to bind dirs but I understand putting the file in 
> > the config dir and cat'ing it into /etc/hosts... but since those are write 
> > protected dirs would the rc.local execute those commands as root (or su or 
> > sudo not sure about the terminology here)? I ask because when i try:
> > 
> > 
> > 
> > source rc.local 
> > 
> > 
> > it gives me permission denied errors, I tried adding "sudo" in front but 
> > that didn't seem to help?
> > 
> > 
> > 
> > oops, sent prematurly. When I try to restart the vm, then go into the 
> > terminal and:
> > less /etc/hosts
> > 
> > 
> > it still seems to be the origonal and not updated hosts?
> 
> The hosts file is one of the files in the base, so it's always replaced.
> 
> I recommend creating a hosts file in the /rw directory, then in rc.local 
> deleting the hosts file and creating a link to the one in /rw
> 
> That's what I do, and it works like a charm.
> 
> Other than that, you can set up an internal DNS server that hangs off the 
> proxyVM to handle all DNS requests from all other guests that hang off that  
> ProxyVM.
> 
> It's just another simple solution.

Thanks, I will give that a try.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/19512c53-eb11-42f2-8af1-7411516cc06f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Not using firewall rules correctly?

2017-05-01 Thread Gaiko Kyofusho 
On Mon, May 1, 2017 at 10:47 PM, Gaiko Kyofusho <
gaikokujinkyofu...@gmail.com> wrote:

>
>
> On Sat, Apr 29, 2017 at 6:45 PM, Unman wrote:
>
>> On Sat, Apr 29, 2017 at 06:13:46PM -0400, Gaiko Kyofusho wrote:
>> > Thanks, I looked up about host files, and found the
>> > github.com/StevenBlack/hosts file which is handy but what I am still a
>> bit
>> > confused about is where to put it. The reason I assumed dom0 before was
>> I
>> > thought anything put in /etc/ would be erased on reboot which seems to
>> be
>> > happening, is there someway around this or perhaps I should be putting
>> it
>> > in the template?
>> >
>>
>> You can put the file in /rw/config, and then in /rw/config/rc.local
>> include:
>> cat /rw/config/hosts >> /etc/hosts
>> Or you can use bind-dirs to make /etc/hosts survive a reboot.
>>
>>
> Thanks. I am not sure how to bind dirs but I understand putting the file
> in the config dir and cat'ing it into /etc/hosts... but since those are
> write protected dirs would the rc.local execute those commands as root (or
> su or sudo not sure about the terminology here)? I ask because when i try:
>
> source rc.local
>
> it gives me permission denied errors, I tried adding "sudo" in front but
> that didn't seem to help?
>


oops, sent prematurly. When I try to restart the vm, then go into the
terminal and:
less /etc/hosts

it still seems to be the origonal and not updated hosts?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAGpWZxO_RmLJKsiXsLzdUE0%2BcJxTmmQYPN2UZWo9E21H4gDRPw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Not using firewall rules correctly?

2017-04-28 Thread Unman 
On Fri, Apr 28, 2017 at 06:08:42PM -0400, Gaiko Kyofusho wrote:
> I thought I would make use of Qubes firewall feature and try blocking some
> sites. I 1st tried in the firewallVM -> settings -> firewall rules and
> added some sites, doubleclick.net for example
> 
> I closed it etc then went back to it and saw this error:
> 
> The sys-firewall AppVM is not network connected to a FirewallVM
> You may edit the sys-firewall VM firewall rules but these will not take
> effect until you connect it to a working firewallVM
> 
> ?? I was editing the rules in the sys-firewall VM so I am not sure about
> that, unless perhaps because I have a VPN running? (the the VPN is behind
> not infront of the firewall).
> 
> I tried the same setup/rules but instead of in the sys-firewall VM i tried
> it in my personalVM and while i didn't get an error there, it also didn't
> seem to block sites like doubleclick.net?
> 
> I assume I am doing something wrong but am not sure what as I thought I was
> doing as the qubes firewall doc instructed?

The Qubes firewall is set for each qube.
So if you want to block a particular qube from accessing a site you make
a change in the firewall for that qube, and it is implemented in iptables
on the proxyVM upstream of the qube.

You have tried to set a rule on the firewallVM, and the error message is
telling you that sys-net does not act as a firewallVM.

If you want to block traffic FROM sys-firewall then you can set iptables
rules ON sys-firewall and set them from rc.local or
qubes-firewall-user-script in /rw/config.
Alternatively you can write custom rules in sys-net and implement them
there to block traffic from downstream qubes.

A major problem in doing this is that iptables acts on IP addresses. If
you want to block something like doubleclick.net then you would 
have to block all the IP addresses associated with that domain. An
alternative approach would be to make entries in /etc/hosts resolving
to a local address. This stops any DNS resolution and effectively blocks
access to the site. If you look online there are many examples of hosts
files that use this technique to block access to questionable sites.

hth

unman


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170428222620.GA13480%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Not using firewall rules correctly?

2017-04-28 Thread Gaiko Kyofusho 
I thought I would make use of Qubes firewall feature and try blocking some
sites. I 1st tried in the firewallVM -> settings -> firewall rules and
added some sites, doubleclick.net for example

I closed it etc then went back to it and saw this error:

The sys-firewall AppVM is not network connected to a FirewallVM
You may edit the sys-firewall VM firewall rules but these will not take
effect until you connect it to a working firewallVM

?? I was editing the rules in the sys-firewall VM so I am not sure about
that, unless perhaps because I have a VPN running? (the the VPN is behind
not infront of the firewall).

I tried the same setup/rules but instead of in the sys-firewall VM i tried
it in my personalVM and while i didn't get an error there, it also didn't
seem to block sites like doubleclick.net?

I assume I am doing something wrong but am not sure what as I thought I was
doing as the qubes firewall doc instructed?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAGpWZxPNAn6%3Dk4B8Ftef6%2BQxj3%3D9OzBagyChTqyP-nibFWPG%2BA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.