Re: [qubes-users] Sys-net with a 2 port NIC, how to allow/block interfaces?

2017-07-07 Thread Unman
On Thu, Jul 06, 2017 at 07:22:51PM -0400, Essax wrote:
> Hi Unman
> Thanks ! Thats is exactly what I wanted to accomplish. Although I could use a 
> little clarification on a couple things.
> 
> > You can examine the IP addresses allocated to the qubes using
> > "qvm-ls -n".
> 
> I ran this command and there are three ip addresses listed for most of the 
> qubes. Going from left to right---> I know the first one is the qube ip 
> address. The second ip address is only given to proxy-vms (What is this ip 
> for?) And the third ip address is the up stream gateway ip??
> 
> > Each firewall provides masquerade NAT to downstream qubes. This means
> > that you can simply do the following:
> > firewall-vm0 : eth0 - 10.137.10.10
> > firewall-vm1 : eth0 - 10.137.10.100
> 
> I'm sure you can guess my next question. Those two ip addresses would be the 
> actual ip of the qubes. (sorry I have to be sure : )
> Essax
> Sent with [ProtonMail](https://protonmail.com) Secure Email.
> 
> > ---- Original Message 
> > Subject: Re: [qubes-users] Sys-net with a 2 port NIC, how to allow/block 
> > interfaces?
> > Local Time: July 5, 2017 9:24 PM
> > UTC Time: July 6, 2017 1:24 AM
> > From: un...@thirdeyesecurity.org
> > To: Essax <es...@protonmail.com>
> > Google groups Qubes-users <qubes-users@googlegroups.com>
> > On Wed, Jul 05, 2017 at 08:08:02PM -0400, "Essax" via qubes-users wrote:
> >> I have laptop with a 2 port NIC. I would like to have 1 subset of appVMs 
> >> that are connected to sys-net to use the eth0 interface and the other 
> >> subset to use the eth1 interface. It is not possible to assign 1 port into 
> >> seperate sys-nets. I have tried that and only eth0 will function. Its also 
> >> my understanding that eth0 is the interface used between qubes. ( is this 
> >> wrong? ) If so would this prevent me from using iptables in firewall-vm1 
> >> to block traffic to the eth0 interface. That would block traffic to 
> >> sys-net as well (I think). The only solution I have come up with would be 
> >> to go to dom0 GUI --> appvm1---> edit VM firewall rules ---> allow 
> >> networks except 172.16.1.1/24 . This would not block traffic to the eth0 
> >> interface but it would prevent if from going any further than the 
> >> 172.16.1.1 pfsense interface. Then I could do the same for firewall-vm0 
> >> and block it from the 192.168.1.1 pfsense interface. Is there a better way 
> >> to do this with iptables.
> >> pfsense-192.168.1.1/24eth1firewall-vm1appvm1
> >> sys-net
> >> pfsense-172.16.1.1/24--eth0firewall-vm0VPN/proxyvmappvm0
> >>
> >> Thanks in advance
> >> Essax
> > I"m not sure what you mean by "eth0 is the interface used between
> > qubes". Each qube is attached to its upstream proxy, its eth0
> > connecting to a vifX interface on the proxy.
> > You can examine the IP addresses allocated to the qubes using
> > "qvm-ls -n".
> > On your proposal the downstream qubes would only be able to connect to
> > the networks attached to eth0 and eth1. This may be what you want. If
> > you want to connect to the net (or another network) via those connected
> > networks, there is an alternative.
> > Each firewall provides masquerade NAT to downstream qubes. This means
> > that you can simply do the following:
> > firewall-vm0 : eth0 - 10.137.10.10
> > firewall-vm1 : eth0 - 10.137.10.100
> > On sys-net-
> > iptables -I FORWARD -o eth0 -j DROP
> > iptables -I FORWARD -o eth1 -j DROP
> > iptables -I FORWARD -s 10.137.10.100 -o eth1 -j ACCEPT
> > iptables -I FORWARD -s 10.137.10.10 -o eth0 -j ACCEPT
> > Those rules explicitly block and allow traffic. You could combine into
> > one rule but this makes it clearer what is happening and will allow you
> > to track counters as traffic flows.
> > I think it"s neater than your proposal.
> > You"ll also want to keep the rules allowing established traffic back
> > though sys-net.
> > You can put these rules in to rc.local, and qubes-firewall-user-script,
> > as set out here:
> > www.qubes-os.org/doc/firewall
> > unman

So if you look at the top of the output you will see some helpful
headings.
The first address is that of eth0.
The second is the address used on vif interfaces to conenct downstream.
The third is the address of the upstream netvm, (and so will match the
2nd IP address of THAT qube)

In answer to your question, the IP adresses I 

Re: [qubes-users] Sys-net with a 2 port NIC, how to allow/block interfaces?

2017-07-06 Thread 'Essax' via qubes-users
Hi Unman
Thanks ! Thats is exactly what I wanted to accomplish. Although I could use a 
little clarification on a couple things.

> You can examine the IP addresses allocated to the qubes using
> "qvm-ls -n".

I ran this command and there are three ip addresses listed for most of the 
qubes. Going from left to right---> I know the first one is the qube ip 
address. The second ip address is only given to proxy-vms (What is this ip 
for?) And the third ip address is the up stream gateway ip??

> Each firewall provides masquerade NAT to downstream qubes. This means
> that you can simply do the following:
> firewall-vm0 : eth0 - 10.137.10.10
> firewall-vm1 : eth0 - 10.137.10.100

I'm sure you can guess my next question. Those two ip addresses would be the 
actual ip of the qubes. (sorry I have to be sure : )
Essax
Sent with [ProtonMail](https://protonmail.com) Secure Email.

>  Original Message --------
> Subject: Re: [qubes-users] Sys-net with a 2 port NIC, how to allow/block 
> interfaces?
> Local Time: July 5, 2017 9:24 PM
> UTC Time: July 6, 2017 1:24 AM
> From: un...@thirdeyesecurity.org
> To: Essax <es...@protonmail.com>
> Google groups Qubes-users <qubes-users@googlegroups.com>
> On Wed, Jul 05, 2017 at 08:08:02PM -0400, "Essax" via qubes-users wrote:
>> I have laptop with a 2 port NIC. I would like to have 1 subset of appVMs 
>> that are connected to sys-net to use the eth0 interface and the other subset 
>> to use the eth1 interface. It is not possible to assign 1 port into seperate 
>> sys-nets. I have tried that and only eth0 will function. Its also my 
>> understanding that eth0 is the interface used between qubes. ( is this 
>> wrong? ) If so would this prevent me from using iptables in firewall-vm1 to 
>> block traffic to the eth0 interface. That would block traffic to sys-net as 
>> well (I think). The only solution I have come up with would be to go to dom0 
>> GUI --> appvm1---> edit VM firewall rules ---> allow networks except 
>> 172.16.1.1/24 . This would not block traffic to the eth0 interface but it 
>> would prevent if from going any further than the 172.16.1.1 pfsense 
>> interface. Then I could do the same for firewall-vm0 and block it from the 
>> 192.168.1.1 pfsense interface. Is there a better way to do this with 
>> iptables.
>> pfsense-192.168.1.1/24eth1firewall-vm1appvm1
>> sys-net
>> pfsense-172.16.1.1/24--eth0firewall-vm0VPN/proxyvmappvm0
>>
>> Thanks in advance
>> Essax
> I"m not sure what you mean by "eth0 is the interface used between
> qubes". Each qube is attached to its upstream proxy, its eth0
> connecting to a vifX interface on the proxy.
> You can examine the IP addresses allocated to the qubes using
> "qvm-ls -n".
> On your proposal the downstream qubes would only be able to connect to
> the networks attached to eth0 and eth1. This may be what you want. If
> you want to connect to the net (or another network) via those connected
> networks, there is an alternative.
> Each firewall provides masquerade NAT to downstream qubes. This means
> that you can simply do the following:
> firewall-vm0 : eth0 - 10.137.10.10
> firewall-vm1 : eth0 - 10.137.10.100
> On sys-net-
> iptables -I FORWARD -o eth0 -j DROP
> iptables -I FORWARD -o eth1 -j DROP
> iptables -I FORWARD -s 10.137.10.100 -o eth1 -j ACCEPT
> iptables -I FORWARD -s 10.137.10.10 -o eth0 -j ACCEPT
> Those rules explicitly block and allow traffic. You could combine into
> one rule but this makes it clearer what is happening and will allow you
> to track counters as traffic flows.
> I think it"s neater than your proposal.
> You"ll also want to keep the rules allowing established traffic back
> though sys-net.
> You can put these rules in to rc.local, and qubes-firewall-user-script,
> as set out here:
> www.qubes-os.org/doc/firewall
> unman
> --
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/20170706012459.nixgcf6n3mwqwobt%40thirdeyesecurity.org.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/WszUs9sGM9qi48M2RaOxkmtA5od7C02DWQdga-3Im3D960qCOv7CkSuSqp10tSctYnMrnZGuWWmYgbWH5J4r1p9SIrZKzw3UFyErA94U5wc%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Sys-net with a 2 port NIC, how to allow/block interfaces?

2017-07-05 Thread Unman
On Wed, Jul 05, 2017 at 08:08:02PM -0400, 'Essax' via qubes-users wrote:
> I have laptop with a 2 port NIC. I would like to have 1 subset of appVMs that 
> are connected to sys-net to use the eth0 interface and the other subset to 
> use the eth1 interface. It is not possible to assign 1 port into seperate 
> sys-nets. I have tried that and only eth0 will function. Its also my 
> understanding that eth0 is the interface used between qubes. ( is this wrong? 
> ) If so would this prevent me from using iptables in firewall-vm1 to block 
> traffic to the eth0 interface. That would block traffic to sys-net as well (I 
> think). The only solution I have come up with would be to go to dom0 GUI --> 
> appvm1---> edit VM firewall rules ---> allow networks except 172.16.1.1/24 . 
> This would not block traffic to the eth0 interface but it would prevent if 
> from going any further than the 172.16.1.1 pfsense interface. Then I could do 
> the same for firewall-vm0 and block it from the 192.168.1.1 pfsense 
> interface. Is there a better way to do this with iptables.
> pfsense-192.168.1.1/24eth1firewall-vm1appvm1
> sys-net
> pfsense-172.16.1.1/24--eth0firewall-vm0VPN/proxyvmappvm0
> 
> Thanks in advance
> Essax

I'm not sure what you mean by "eth0 is the interface used between
qubes". Each qube is attached to its upstream proxy, its eth0
connecting to a vifX interface on the proxy.

You can examine the IP addresses allocated to the qubes using 
'qvm-ls -n'.

On your proposal the downstream qubes would only be able to connect to
the networks attached to eth0 and eth1. This may be what you want. If
you want to connect to the net (or another network) via those connected
networks, there is an alternative.

Each firewall provides masquerade NAT to downstream qubes. This means
that you can simply do the following:
firewall-vm0 : eth0 - 10.137.10.10
firewall-vm1 : eth0 - 10.137.10.100

On sys-net-
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -o eth1 -j DROP
iptables -I FORWARD -s 10.137.10.100 -o eth1 -j ACCEPT
iptables -I FORWARD -s 10.137.10.10 -o eth0 -j ACCEPT

Those rules explicitly block and allow traffic. You could combine into
one rule but this makes it clearer what is happening and will allow you
to track counters as traffic flows.
I think it's neater than your proposal.
You'll also want to keep the rules allowing established traffic back
though sys-net.

You can put these rules in to rc.local, and qubes-firewall-user-script,
as set out here:
www.qubes-os.org/doc/firewall

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170706012459.nixgcf6n3mwqwobt%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Sys-net with a 2 port NIC, how to allow/block interfaces?

2017-07-05 Thread 'Essax' via qubes-users
I have laptop with a 2 port NIC. I would like to have 1 subset of appVMs that 
are connected to sys-net to use the eth0 interface and the other subset to use 
the eth1 interface. It is not possible to assign 1 port into seperate sys-nets. 
I have tried that and only eth0 will function. Its also my understanding that 
eth0 is the interface used between qubes. ( is this wrong? ) If so would this 
prevent me from using iptables in firewall-vm1 to block traffic to the eth0 
interface. That would block traffic to sys-net as well (I think). The only 
solution I have come up with would be to go to dom0 GUI --> appvm1---> edit VM 
firewall rules ---> allow networks except 172.16.1.1/24 . This would not block 
traffic to the eth0 interface but it would prevent if from going any further 
than the 172.16.1.1 pfsense interface. Then I could do the same for 
firewall-vm0 and block it from the 192.168.1.1 pfsense interface. Is there a 
better way to do this with iptables.
pfsense-192.168.1.1/24eth1firewall-vm1appvm1
sys-net
pfsense-172.16.1.1/24--eth0firewall-vm0VPN/proxyvmappvm0

Thanks in advance
Essax
Sent with [ProtonMail](https://protonmail.com) Secure Email.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/yQ0Xt5URRed9eRoNFHjZy4TXx4hBIxcnQPtCMQhJu9epRY0cI_3O6_oS-WPZBl5CzDwlbYjIxwlREimUVjbGEKbQJdXKA2y9fartzH5VHAg%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.