Re: [qubes-users] how to investigate ports which needs to be open when firewall rules seems to be to restricted
On Fri, May 19, 2017 at 12:21:08AM +0200, 'PR' via qubes-users wrote: > Hello Unman, > > > On 05/19/2017 12:01 AM, Unman wrote: > >On Thu, May 18, 2017 at 01:55:31PM -0700, 'PR' via qubes-users wrote: > >>Hello, > >> > >>when using AppVMs for special purposes, I like to use deny all firewall > >>rules and only open the neccessary ports. > >>Unfortunately this means a step-by-step approach to find out which domains > >>and ports needs to open. > >> > >>Question: > >>Where can I find a log file which shows what the firewall is blocking from > >>inside (AppVM) to outside (WAN). > >>I know that I've missed some ports to get things up and running, but I > >>don't know where to look for them. > >Hello, > > > >You create a log file by inserting a new rule in the iptables chain, > >using the LOG target. > > > >Let's say you want to check what's happening on sys-firewall to > >traffic from 10.137.1.101 > >iptables -L -nv will show the current rules. > >Count where the current DROP rule appears in the FORWARD chain - say, > >it's at position 4. > >Then insert a LOG rule before that DROP rule: > >iptables -I FORWARD 4 -s 10.137.1.101 -j LOG > > > > > >Now all the DROPPED traffic will be logged, and you can use dmesg to > >inspect those logs. > > > >unman > perfect, thanks!! > I assume that this rule is non-persistent and will not survive a reboot of > sys-net, correct? > This would be great as I only need this rule to fine tune my firewall > settings. > > - P reboot of "sys-firewall" I think you mean, otherwise you're right. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170518230817.GA23932%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] how to investigate ports which needs to be open when firewall rules seems to be to restricted
Hello Unman, On 05/19/2017 12:01 AM, Unman wrote: On Thu, May 18, 2017 at 01:55:31PM -0700, 'PR' via qubes-users wrote: Hello, when using AppVMs for special purposes, I like to use deny all firewall rules and only open the neccessary ports. Unfortunately this means a step-by-step approach to find out which domains and ports needs to open. Question: Where can I find a log file which shows what the firewall is blocking from inside (AppVM) to outside (WAN). I know that I've missed some ports to get things up and running, but I don't know where to look for them. Hello, You create a log file by inserting a new rule in the iptables chain, using the LOG target. Let's say you want to check what's happening on sys-firewall to traffic from 10.137.1.101 iptables -L -nv will show the current rules. Count where the current DROP rule appears in the FORWARD chain - say, it's at position 4. Then insert a LOG rule before that DROP rule: iptables -I FORWARD 4 -s 10.137.1.101 -j LOG Now all the DROPPED traffic will be logged, and you can use dmesg to inspect those logs. unman perfect, thanks!! I assume that this rule is non-persistent and will not survive a reboot of sys-net, correct? This would be great as I only need this rule to fine tune my firewall settings. - P -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7682876a-acf6-d3d6-d8de-bcbdeda51a7a%40googlemail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] how to investigate ports which needs to be open when firewall rules seems to be to restricted
On Thu, May 18, 2017 at 01:55:31PM -0700, 'PR' via qubes-users wrote: > Hello, > > when using AppVMs for special purposes, I like to use deny all firewall rules > and only open the neccessary ports. > Unfortunately this means a step-by-step approach to find out which domains > and ports needs to open. > > Question: > Where can I find a log file which shows what the firewall is blocking from > inside (AppVM) to outside (WAN). > I know that I've missed some ports to get things up and running, but I don't > know where to look for them. > > - P > Hello, You create a log file by inserting a new rule in the iptables chain, using the LOG target. Let's say you want to check what's happening on sys-firewall to traffic from 10.137.1.101 iptables -L -nv will show the current rules. Count where the current DROP rule appears in the FORWARD chain - say, it's at position 4. Then insert a LOG rule before that DROP rule: iptables -I FORWARD 4 -s 10.137.1.101 -j LOG Now all the DROPPED traffic will be logged, and you can use dmesg to inspect those logs. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170518220139.GA23598%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] how to investigate ports which needs to be open when firewall rules seems to be to restricted
Hello, when using AppVMs for special purposes, I like to use deny all firewall rules and only open the neccessary ports. Unfortunately this means a step-by-step approach to find out which domains and ports needs to open. Question: Where can I find a log file which shows what the firewall is blocking from inside (AppVM) to outside (WAN). I know that I've missed some ports to get things up and running, but I don't know where to look for them. - P -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a9b57185-a56b-4d2e-8873-c8a2ad380b54%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
