Re: [qubes-users] Not using firewall rules correctly?
On Saturday, May 20, 2017 at 9:43:52 AM UTC-4, Gaiko wrote: > On Tuesday, May 9, 2017 at 9:53:30 PM UTC-4, cooloutac wrote: > > On Monday, May 1, 2017 at 10:53:04 PM UTC-4, Gaiko wrote: > > > On Mon, May 1, 2017 at 10:47 PM, Gaiko Kyofusho> > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > On Sat, Apr 29, 2017 at 6:45 PM, Unman wrote: > > > On Sat, Apr 29, 2017 at 06:13:46PM -0400, Gaiko Kyofusho wrote: > > > > > > > Thanks, I looked up about host files, and found the > > > > > > > github.com/StevenBlack/hosts file which is handy but what I am still a > > > > bit > > > > > > > confused about is where to put it. The reason I assumed dom0 before was > > > > I > > > > > > > thought anything put in /etc/ would be erased on reboot which seems to > > > > be > > > > > > > happening, is there someway around this or perhaps I should be putting > > > > it > > > > > > > in the template? > > > > > > > > > > > > > > > > > > > You can put the file in /rw/config, and then in /rw/config/rc.local > > > > > > include: > > > > > > cat /rw/config/hosts >> /etc/hosts > > > > > > Or you can use bind-dirs to make /etc/hosts survive a reboot. > > > > > > > > > > > > > > > Thanks. I am not sure how to bind dirs but I understand putting the file > > > in the config dir and cat'ing it into /etc/hosts... but since those are > > > write protected dirs would the rc.local execute those commands as root > > > (or su or sudo not sure about the terminology here)? I ask because when i > > > try: > > > > > > > > > > > > source rc.local > > > > > > > > > it gives me permission denied errors, I tried adding "sudo" in front but > > > that didn't seem to help? > > > > > > > > > > > > oops, sent prematurly. When I try to restart the vm, then go into the > > > terminal and: > > > less /etc/hosts > > > > > > > > > it still seems to be the origonal and not updated hosts? > > > > to filter http is a pain. I use lists from iblocklist.com in peerguardian > > on debian vm. so you can use mouse to temp allow stuff sometimes. it > > blocks like between 2 and 3 mil ip addresses. only ipv4 though and > > probalby some overlap. I disable ipv6 in grub. but you have to not use > > the pc or have crazy discipline. > > So when you say in a debian vm, do you happen to mean as a debian vm via > proxy? Like in the middle of your vm? > > Slightly off topic but would sites "see" host files or peergaurdian (ie > blocking but not at the browser level) as blocking? Some sites give you guff > about blocking and there is also the privacy aspect of making ones self even > more unique. > > thx! you can put it in a proxy too. I wouldn't trust it in anything trusted or sensitive. Some sites do give a warning, but its rare. Usually, something on a site just doesn't work or load till you allow something. To filter all these scripts and ips from websites really isn't that practical. I'm a little nuts too cause I only temp allow stuff 90% of the time. The use is similar to noscript, but for ips. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/829f0ca9-8a89-407c-8194-b38634df4091%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Not using firewall rules correctly?
On Tuesday, May 9, 2017 at 9:53:30 PM UTC-4, cooloutac wrote: > On Monday, May 1, 2017 at 10:53:04 PM UTC-4, Gaiko wrote: > > On Mon, May 1, 2017 at 10:47 PM, Gaiko Kyofusho> > wrote: > > > > > > > > > > > > > > > > On Sat, Apr 29, 2017 at 6:45 PM, Unman wrote: > > On Sat, Apr 29, 2017 at 06:13:46PM -0400, Gaiko Kyofusho wrote: > > > > > Thanks, I looked up about host files, and found the > > > > > github.com/StevenBlack/hosts file which is handy but what I am still a bit > > > > > confused about is where to put it. The reason I assumed dom0 before was I > > > > > thought anything put in /etc/ would be erased on reboot which seems to be > > > > > happening, is there someway around this or perhaps I should be putting it > > > > > in the template? > > > > > > > > > > > > > You can put the file in /rw/config, and then in /rw/config/rc.local > > > > include: > > > > cat /rw/config/hosts >> /etc/hosts > > > > Or you can use bind-dirs to make /etc/hosts survive a reboot. > > > > > > > > > > Thanks. I am not sure how to bind dirs but I understand putting the file in > > the config dir and cat'ing it into /etc/hosts... but since those are write > > protected dirs would the rc.local execute those commands as root (or su or > > sudo not sure about the terminology here)? I ask because when i try: > > > > > > > > source rc.local > > > > > > it gives me permission denied errors, I tried adding "sudo" in front but > > that didn't seem to help? > > > > > > > > oops, sent prematurly. When I try to restart the vm, then go into the > > terminal and: > > less /etc/hosts > > > > > > it still seems to be the origonal and not updated hosts? > > to filter http is a pain. I use lists from iblocklist.com in peerguardian on > debian vm. so you can use mouse to temp allow stuff sometimes. it blocks > like between 2 and 3 mil ip addresses. only ipv4 though and probalby some > overlap. I disable ipv6 in grub. but you have to not use the pc or have > crazy discipline. So when you say in a debian vm, do you happen to mean as a debian vm via proxy? Like in the middle of your vm? Slightly off topic but would sites "see" host files or peergaurdian (ie blocking but not at the browser level) as blocking? Some sites give you guff about blocking and there is also the privacy aspect of making ones self even more unique. thx! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/eeea1d26-e628-4f35-ba65-00d599a333b3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Not using firewall rules correctly?
On Tuesday, May 2, 2017 at 1:03:18 AM UTC-4, Drew White wrote: > On Tuesday, 2 May 2017 12:53:04 UTC+10, Gaiko wrote: > > On Mon, May 1, 2017 at 10:47 PM, Gaiko Kyofusho> > wrote: > > > > > > > > > > > > > > > > On Sat, Apr 29, 2017 at 6:45 PM, Unman wrote: > > On Sat, Apr 29, 2017 at 06:13:46PM -0400, Gaiko Kyofusho wrote: > > > > > Thanks, I looked up about host files, and found the > > > > > github.com/StevenBlack/hosts file which is handy but what I am still a bit > > > > > confused about is where to put it. The reason I assumed dom0 before was I > > > > > thought anything put in /etc/ would be erased on reboot which seems to be > > > > > happening, is there someway around this or perhaps I should be putting it > > > > > in the template? > > > > > > > > > > > > > You can put the file in /rw/config, and then in /rw/config/rc.local > > > > include: > > > > cat /rw/config/hosts >> /etc/hosts > > > > Or you can use bind-dirs to make /etc/hosts survive a reboot. > > > > > > > > > > Thanks. I am not sure how to bind dirs but I understand putting the file in > > the config dir and cat'ing it into /etc/hosts... but since those are write > > protected dirs would the rc.local execute those commands as root (or su or > > sudo not sure about the terminology here)? I ask because when i try: > > > > > > > > source rc.local > > > > > > it gives me permission denied errors, I tried adding "sudo" in front but > > that didn't seem to help? > > > > > > > > oops, sent prematurly. When I try to restart the vm, then go into the > > terminal and: > > less /etc/hosts > > > > > > it still seems to be the origonal and not updated hosts? > > The hosts file is one of the files in the base, so it's always replaced. > > I recommend creating a hosts file in the /rw directory, then in rc.local > deleting the hosts file and creating a link to the one in /rw > > That's what I do, and it works like a charm. > > Other than that, you can set up an internal DNS server that hangs off the > proxyVM to handle all DNS requests from all other guests that hang off that > ProxyVM. > > It's just another simple solution. Thanks, I will give that a try. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/19512c53-eb11-42f2-8af1-7411516cc06f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Not using firewall rules correctly?
On Mon, May 1, 2017 at 10:47 PM, Gaiko Kyofusho < gaikokujinkyofu...@gmail.com> wrote: > > > On Sat, Apr 29, 2017 at 6:45 PM, Unman wrote: > >> On Sat, Apr 29, 2017 at 06:13:46PM -0400, Gaiko Kyofusho wrote: >> > Thanks, I looked up about host files, and found the >> > github.com/StevenBlack/hosts file which is handy but what I am still a >> bit >> > confused about is where to put it. The reason I assumed dom0 before was >> I >> > thought anything put in /etc/ would be erased on reboot which seems to >> be >> > happening, is there someway around this or perhaps I should be putting >> it >> > in the template? >> > >> >> You can put the file in /rw/config, and then in /rw/config/rc.local >> include: >> cat /rw/config/hosts >> /etc/hosts >> Or you can use bind-dirs to make /etc/hosts survive a reboot. >> >> > Thanks. I am not sure how to bind dirs but I understand putting the file > in the config dir and cat'ing it into /etc/hosts... but since those are > write protected dirs would the rc.local execute those commands as root (or > su or sudo not sure about the terminology here)? I ask because when i try: > > source rc.local > > it gives me permission denied errors, I tried adding "sudo" in front but > that didn't seem to help? > oops, sent prematurly. When I try to restart the vm, then go into the terminal and: less /etc/hosts it still seems to be the origonal and not updated hosts? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAGpWZxO_RmLJKsiXsLzdUE0%2BcJxTmmQYPN2UZWo9E21H4gDRPw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Not using firewall rules correctly?
On Fri, Apr 28, 2017 at 06:08:42PM -0400, Gaiko Kyofusho wrote: > I thought I would make use of Qubes firewall feature and try blocking some > sites. I 1st tried in the firewallVM -> settings -> firewall rules and > added some sites, doubleclick.net for example > > I closed it etc then went back to it and saw this error: > > The sys-firewall AppVM is not network connected to a FirewallVM > You may edit the sys-firewall VM firewall rules but these will not take > effect until you connect it to a working firewallVM > > ?? I was editing the rules in the sys-firewall VM so I am not sure about > that, unless perhaps because I have a VPN running? (the the VPN is behind > not infront of the firewall). > > I tried the same setup/rules but instead of in the sys-firewall VM i tried > it in my personalVM and while i didn't get an error there, it also didn't > seem to block sites like doubleclick.net? > > I assume I am doing something wrong but am not sure what as I thought I was > doing as the qubes firewall doc instructed? The Qubes firewall is set for each qube. So if you want to block a particular qube from accessing a site you make a change in the firewall for that qube, and it is implemented in iptables on the proxyVM upstream of the qube. You have tried to set a rule on the firewallVM, and the error message is telling you that sys-net does not act as a firewallVM. If you want to block traffic FROM sys-firewall then you can set iptables rules ON sys-firewall and set them from rc.local or qubes-firewall-user-script in /rw/config. Alternatively you can write custom rules in sys-net and implement them there to block traffic from downstream qubes. A major problem in doing this is that iptables acts on IP addresses. If you want to block something like doubleclick.net then you would have to block all the IP addresses associated with that domain. An alternative approach would be to make entries in /etc/hosts resolving to a local address. This stops any DNS resolution and effectively blocks access to the site. If you look online there are many examples of hosts files that use this technique to block access to questionable sites. hth unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170428222620.GA13480%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Not using firewall rules correctly?
I thought I would make use of Qubes firewall feature and try blocking some sites. I 1st tried in the firewallVM -> settings -> firewall rules and added some sites, doubleclick.net for example I closed it etc then went back to it and saw this error: The sys-firewall AppVM is not network connected to a FirewallVM You may edit the sys-firewall VM firewall rules but these will not take effect until you connect it to a working firewallVM ?? I was editing the rules in the sys-firewall VM so I am not sure about that, unless perhaps because I have a VPN running? (the the VPN is behind not infront of the firewall). I tried the same setup/rules but instead of in the sys-firewall VM i tried it in my personalVM and while i didn't get an error there, it also didn't seem to block sites like doubleclick.net? I assume I am doing something wrong but am not sure what as I thought I was doing as the qubes firewall doc instructed? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAGpWZxPNAn6%3Dk4B8Ftef6%2BQxj3%3D9OzBagyChTqyP-nibFWPG%2BA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.