Re: [qubes-users] Usability: "Firewall rules" setting will likely be missunderstood often
On 09/21/2016 06:24 AM, Robert Mittendorf wrote: Am 09/20/2016 um 10:29 PM schrieb Chris Laprise: This is a good candidate for filing an issue, but mainly for this situation -- "A warning if an upstream VM does not implement the firewall rules", which should include connecting to netvms. IIRC, Qubes Manager used to grey-out the firewall tab for any vm that was connected to a netvm. That doesn't appear to be the case now in R3.2. As for idea 'b', I'd disagree with that. Chained proxyvms are probably more common than you think. Chris Hey Chris, sorry for my first answer directly to you - I expected a mailing list to set/replace the "answer to" field I still use 3.1! firewall rules are disabled for NetVMs, but not dynamically for VMs that are not connected to a proxy VM. I'm curious - do you have an example for a usefull local proxy(VM) chain? Yes. For example you can connect a Whonix Tor gateway to a VPN tunnel (or vice-versa). Some people will even add a dedicated firewall to that chain. Also, if you want to apply some firewall rules easily to many vms which are using your regular firewall vm, you can put another proxy vm upstream from the firewall then add the rules to the firewall. Am 09/21/2016 um 12:07 PM schrieb Andrew David Wong Normally, it wouldn't make sense to try to enforce firewall rules for a FirewallVM. That's why the default sys-firewall and sys-net work the way they do. However, if you have a need for this, you're free to create your own FirewallVMs and chain them together. I agree - that is why my idea was to disable firewall rules for proxy VMs. 2) I can configure firewall rules for a AppVM, which will not be active if that VM is connected Assuming you meant "unconnected," that's right. Actually I meant connected to a NetVM and thereby the internet. Sorry. And: What happens if a ProxyVM does not implement the firewall service, or if the firewall service crashes in the ProxyVM ? I cannot find more information about the firewall mechanism than "centrally managed in Dom0 and exposed to each Proxy VM through Xen store" fromhttp://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html Take a look at these pages: https://www.qubes-os.org/doc/qubes-firewall/ https://www.qubes-os.org/doc/networking/ I looked at the firewall page. The networking pages seems to miss exactly the information I'm looking for in the "Firewall and Proxy VMs" section - like how the information from xen store is loaded within the proxyVM and what happens, if something failes (e.g. Is there a risk that proxying works, but firewall rules are ignored ?) There's no reliable & safe way to verify the internal proxyvm state like this. Usually, proxyvms are assigned roles of trust, and trust pertains not only to it being free of malware... but also its ability to function correctly in general. Also, proxyvms such as sys-firewall are relatively simple so there is little that can break. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9c0ee243-8701-3a54-8930-27e52f389e98%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Usability: "Firewall rules" setting will likely be missunderstood often
Am 09/20/2016 um 10:29 PM schrieb Chris Laprise: This is a good candidate for filing an issue, but mainly for this situation -- "A warning if an upstream VM does not implement the firewall rules", which should include connecting to netvms. IIRC, Qubes Manager used to grey-out the firewall tab for any vm that was connected to a netvm. That doesn't appear to be the case now in R3.2. As for idea 'b', I'd disagree with that. Chained proxyvms are probably more common than you think. Chris Hey Chris, sorry for my first answer directly to you - I expected a mailing list to set/replace the "answer to" field I still use 3.1! firewall rules are disabled for NetVMs, but not dynamically for VMs that are not connected to a proxy VM. I'm curious - do you have an example for a usefull local proxy(VM) chain? Am 09/21/2016 um 12:07 PM schrieb Andrew David Wong Normally, it wouldn't make sense to try to enforce firewall rules for a FirewallVM. That's why the default sys-firewall and sys-net work the way they do. However, if you have a need for this, you're free to create your own FirewallVMs and chain them together. I agree - that is why my idea was to disable firewall rules for proxy VMs. 2) I can configure firewall rules for a AppVM, which will not be active if that VM is connected Assuming you meant "unconnected," that's right. Actually I meant connected to a NetVM and thereby the internet. Sorry. And: What happens if a ProxyVM does not implement the firewall service, or if the firewall service crashes in the ProxyVM ? I cannot find more information about the firewall mechanism than "centrally managed in Dom0 and exposed to each Proxy VM through Xen store" from http://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html Take a look at these pages: https://www.qubes-os.org/doc/qubes-firewall/ https://www.qubes-os.org/doc/networking/ I looked at the firewall page. The networking pages seems to miss exactly the information I'm looking for in the "Firewall and Proxy VMs" section - like how the information from xen store is loaded within the proxyVM and what happens, if something failes (e.g. Is there a risk that proxying works, but firewall rules are ignored ?) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6c649166-b766-0f73-d452-b1fbec914f36%40digitrace.de. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Usability: "Firewall rules" setting will likely be missunderstood often
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-09-21 03:07, Andrew David Wong wrote: > On 2016-09-20 10:16, mittend...@digitrace.de wrote: >> [...] > Thanks! This general suggestion has previously been made > and is currently being tracked here: > > https://github.com/QubesOS/qubes-issues/issues/2003 > I've added your message as a comment on this issue: https://github.com/QubesOS/qubes-issues/issues/2003#issuecomment-248568150 - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJX4lzCAAoJENtN07w5UDAwhEsQAJmC34SCoubo1HUS8EzTpMGU H0ksRALLGxGa1A3MYG2RprLZt/WYI+CbF+XvnDuGsHENuH1Kuq5CICP1NvZoyRgC jL8ocmDF9Y6tRwQ+TvZojF/eJG02nnjKPiIKUDDLDEm8fk9Un23NScgWDuQSKXBv qWmomiwFe7T1bWd9oF/ljbqNXALyHxkQvu38CgcNzK0JWmoR1RXaBxGv6i86oK9Z 2M08CZGMqz5I3fZ8HQpEjrL+2xGDL8jWCvV7pTTsgTh+WhMR0Weyoe1ND+1ACoRd q4yKT06pnxbf1mvbQCLWwH5Xok6IF1CVaNUNbRXAFHX5GDAUNJ3qG61VbR3OYw+q BGIEonmhEZRuosQuSlGn+5Zdkn7qdLgd0kr3H5s1+3Y+XBSqIMehj5X4dMHpf/Wl GTGrifCbdERo0J/DFiPuwL4IYroYah7VceockisrgATJuLgQaOb8cJhHsvG5sGkj 8FDIHk4HmU5UI6DEMni/gOmMpkN8WfDA/SfWO2jJZKk37loAGxZdvOy3C6bYfYSz SAne+wrpNSW0RBnnZsTOs+DhS1951IDwXm76CB/mXGeaDQUDsh+Rdptq+ZtVlnyA uAer2BnF62S1bxP5DTVQksyyDT5e5eeJ5cAnM7alCFWXL9M3/jpfIvA5LG8EjAEi 3Qb8PGviHiekRKGXmOG0 =w9Su -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ba961229-0f0f-f2bb-7af2-e033d2665505%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Usability: "Firewall rules" setting will likely be missunderstood often
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-09-20 10:16, mittend...@digitrace.de wrote: > Hey, > > Firewall rules are set for a specific VM/Qube. From common understanding > people would probably think that those rules are active no matter what > happens outside of that very VM/Qube, but in fact it seems like those rules > are active if and only if there is an ProxyVM connected to that VM/Qube. > > Examples: > > 1) I can configure firewall rules for a ProxyVM, but they are not actived, if > that ProxyVM is connected to a NetVM (if I connect another ProxyVM in > between, this might probably work?!) > Correct. Normally, it wouldn't make sense to try to enforce firewall rules for a FirewallVM. That's why the default sys-firewall and sys-net work the way they do. However, if you have a need for this, you're free to create your own FirewallVMs and chain them together. > 2) I can configure firewall rules for a AppVM, which will not be active if > that VM is connected > Assuming you meant "unconnected," that's right. The reasoning here is that the purpose of firewall rules is to govern network traffic. But if a VM has no NetVM (i.e., has no network access at all), then there's no network traffic to govern. > And: What happens if a ProxyVM does not implement the firewall service, or if > the firewall service crashes in the ProxyVM ? > I cannot find more information about the firewall mechanism than "centrally > managed in Dom0 and exposed to each Proxy VM through Xen store" from > http://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html > Take a look at these pages: https://www.qubes-os.org/doc/qubes-firewall/ https://www.qubes-os.org/doc/networking/ > Ideas: > a) A warning if an AppVM is (about to be) connected to a NetVM (instead of a > ProxyVM). > > b) Do not allow "firewall rules" being set for ProxyVMs (I think Proxy-Chains > are rather unlikely being used?!) > > c) A warning about DNS-Names in firewall rules > > [c) A warning if a connected ProxyVM does not activate the firewall rules] Thanks! This general suggestion has previously been made and is currently being tracked here: https://github.com/QubesOS/qubes-issues/issues/2003 Also related: https://github.com/QubesOS/qubes-issues/issues/2248 - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJX4lvEAAoJENtN07w5UDAwgzwQAMou4iQfl/BV90/VJp7FO5X0 nOiqR2Mqc1094tsCuX1Lysqbsal0jUhmbAVXuxqR3iFkZiXO3u8p3o8VD1TNrZQM Ffd2XGOrIEjGosB2CZS1mj6D/vUv8kg33eqQbmREbVU3mCzoqYoIe4NXHi5NLcHC IJYJOFO+WqFHXhk6AEHF0F+pL2p+Vaa1macJ5XiuXzhOuwlghNGYgObllLMo2jJe uPea/S+vqVtf5VIYJ5rKm39i+qjZIsCIWRI7SxkrNQ0EgpY5tMRPPPyAb7RVNAQu +OSgS3YDH40y0b+fVcWQofwGGYbZU5KXZE72F0VXpycdV0XgknEJ/AqNVLWJnPwH G97gK90CkwHboW9F9GxS0FH+cOP6V4VkLh9SujO5adhaROio5c3hCjDJuFTeQTIg 8O088SAMGUIxmjnEpuxFCeQew4BSc23NDl2ru16Z81lMuIuqgj6TXim924E14syx YhHjQL3iyQK34n2rLmqLcHr4GDa5sQzGRfclJx9rfkiAbtFACPywlka/zaq0Y85q kgk5IDto7yL9Zsq7OD9clSlvtg6TNbI9fL19bC8l7iV+MJ5kiFGSNraWd+RMn9dd tA7sVaqCKqNnteWVFjsITzwDIUwAeTCldPLtwzUk0Hkofi1ebWksMVrgg/SSLvtK HpKs3MEub72u25IfgCVp =CxIx -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a9e56f9a-d8e1-9f85-f00b-6e83902fbc29%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Usability: "Firewall rules" setting will likely be missunderstood often
On 09/20/2016 01:16 PM, mittend...@digitrace.de wrote: Hey, Firewall rules are set for a specific VM/Qube. From common understanding people would probably think that those rules are active no matter what happens outside of that very VM/Qube, but in fact it seems like those rules are active if and only if there is an ProxyVM connected to that VM/Qube. Examples: 1) I can configure firewall rules for a ProxyVM, but they are not actived, if that ProxyVM is connected to a NetVM (if I connect another ProxyVM in between, this might probably work?!) 2) I can configure firewall rules for a AppVM, which will not be active if that VM is connected And: What happens if a ProxyVM does not implement the firewall service, or if the firewall service crashes in the ProxyVM ? I cannot find more information about the firewall mechanism than "centrally managed in Dom0 and exposed to each Proxy VM through Xen store" from http://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html Ideas: a) A warning if an AppVM is (about to be) connected to a NetVM (instead of a ProxyVM). b) Do not allow "firewall rules" being set for ProxyVMs (I think Proxy-Chains are rather unlikely being used?!) c) A warning about DNS-Names in firewall rules [c) A warning if a connected ProxyVM does not activate the firewall rules] thank you, Robert Mittendorf This is a good candidate for filing an issue, but mainly for this situation -- "A warning if an upstream VM does not implement the firewall rules", which should include connecting to netvms. IIRC, Qubes Manager used to grey-out the firewall tab for any vm that was connected to a netvm. That doesn't appear to be the case now in R3.2. As for idea 'b', I'd disagree with that. Chained proxyvms are probably more common than you think. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1a546e8f-5a84-ed27-17ab-2263e1e6972a%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Usability: "Firewall rules" setting will likely be missunderstood often
Hey, Firewall rules are set for a specific VM/Qube. From common understanding people would probably think that those rules are active no matter what happens outside of that very VM/Qube, but in fact it seems like those rules are active if and only if there is an ProxyVM connected to that VM/Qube. Examples: 1) I can configure firewall rules for a ProxyVM, but they are not actived, if that ProxyVM is connected to a NetVM (if I connect another ProxyVM in between, this might probably work?!) 2) I can configure firewall rules for a AppVM, which will not be active if that VM is connected And: What happens if a ProxyVM does not implement the firewall service, or if the firewall service crashes in the ProxyVM ? I cannot find more information about the firewall mechanism than "centrally managed in Dom0 and exposed to each Proxy VM through Xen store" from http://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html Ideas: a) A warning if an AppVM is (about to be) connected to a NetVM (instead of a ProxyVM). b) Do not allow "firewall rules" being set for ProxyVMs (I think Proxy-Chains are rather unlikely being used?!) c) A warning about DNS-Names in firewall rules [c) A warning if a connected ProxyVM does not activate the firewall rules] thank you, Robert Mittendorf -- M. Sc. Informatik Robert Mittendorf DigiTrace GmbH - Kompetenz in IT-Forensik Geschäftsführer: Alexander Sigel, Martin Wundram Registergericht Köln, HR B 72919 USt-IdNr: DE278529699 Zollstockgürtel 59, 50969 Köln Telefon: 0221-6 77 86 95-2 Website: www.DigiTrace.de E-Mail: i...@digitrace.de Haben Sie schon den DigiTrace-Newsletter abonniert? http://www.digitrace.de/de/service/newsletter DigiTrace ist Partner der Allianz für Cyber-Sicherheit sowie Mitglied im nrw.units Netzwerk für IT-Sicherheit: https://www.allianz-fuer-cybersicherheit.de http://www.nrw-units.de/netzwerk/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9e5aebdb-199d-b25c-daf7-d38dd5fdf2b0%40digitrace.de. For more options, visit https://groups.google.com/d/optout.