Re: [qubes-users] Re: Safely set up a Qube to connect to only one IP address on the Internet
Don't know if this helps, but since October 2021 I've been using pfSense without any problems. I created an installation guide and script to automate the integration. https://github.com/jcholsap/freemod/issues/1#issue-1016495279 On Friday, July 30, 2021 at 9:40:06 AM UTC-4 unman wrote: > On Mon, Jul 26, 2021 at 08:09:52AM +, Michael Singer wrote: > > On Thu, Jul 17, 2021 at 12:29PM +0700, unman wrote> On Thu, Jul 15, 2021 > at 06:07:59PM +, Michael Singer wrote: > > >> On Thu, Jul 15, 2021 at 04:50:29PM +0700, unman wrote: > > >> > > >>> On Wed, Jul 14, 2021 at 04:35:42PM +, Michael Singer wrote: > > >> > > > > Would you let my Qube, which is supposed to connect to only one IP > address on > > the internet, be based on an extra firewall-vm? Would that more > secure? > > >> > > >>> You could do this: it would have one particular advantage, in that > you > > >>> could set custom rules in sys-net to restrict access from that > > >>> sys-firewall to the specified IP address. > > >> > > >> Do you have an example of the command line commands you use to set > such custom rules in an ordinary debian or fedora sys-net? > > > > > > Qubes uses NAT, so sys-net sees all traffic coming from the IP address > > > of sys-firewall. > > > If you new fw has IP - 10.137.0.200 > > > And target is 195.10.223.181 > > > > > > `nft insert rule filter FORWARD index 1 ip saddr 10.137.0.200 ip daddr > 195.10.223.181 tcp dport https accept` > > > `nft insert rule filter FORWARD index 2 ip saddr 10.137.0.200 drop` > > > > > > Would do it. > > > Adjust for your case, of course > > > > Many thanks, unman! This is well explained. Allow one more question: How > would you do the same if sys-net is based on a OpenBSD template? > > > > Best regards > > Michael Singer > > > > openBSD in Qubes - Excellent! > You would want something like: > pass out on dc0 proto tcp from 10.137.0.200 to 195.10.223.181 port 443 > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8a19c75b-cc29-475e-955a-05135a048203n%40googlegroups.com.
Re: [qubes-users] Re: Safely set up a Qube to connect to only one IP address on the Internet
On Mon, Jul 26, 2021 at 08:09:52AM +, Michael Singer wrote: > On Thu, Jul 17, 2021 at 12:29PM +0700, unman wrote> On Thu, Jul 15, 2021 at > 06:07:59PM +, Michael Singer wrote: > >> On Thu, Jul 15, 2021 at 04:50:29PM +0700, unman wrote: > >> > >>> On Wed, Jul 14, 2021 at 04:35:42PM +, Michael Singer wrote: > >> > > Would you let my Qube, which is supposed to connect to only one IP > address on > the internet, be based on an extra firewall-vm? Would that more secure? > >> > >>> You could do this: it would have one particular advantage, in that you > >>> could set custom rules in sys-net to restrict access from that > >>> sys-firewall to the specified IP address. > >> > >> Do you have an example of the command line commands you use to set such > >> custom rules in an ordinary debian or fedora sys-net? > > > > Qubes uses NAT, so sys-net sees all traffic coming from the IP address > > of sys-firewall. > > If you new fw has IP - 10.137.0.200 > > And target is 195.10.223.181 > > > > `nft insert rule filter FORWARD index 1 ip saddr 10.137.0.200 ip daddr > > 195.10.223.181 tcp dport https accept` > > `nft insert rule filter FORWARD index 2 ip saddr 10.137.0.200 drop` > > > > Would do it. > > Adjust for your case, of course > > Many thanks, unman! This is well explained. Allow one more question: How > would you do the same if sys-net is based on a OpenBSD template? > > Best regards > Michael Singer > openBSD in Qubes - Excellent! You would want something like: pass out on dc0 proto tcp from 10.137.0.200 to 195.10.223.181 port 443 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20210730134003.GF19478%40thirdeyesecurity.org.
Re: [qubes-users] Re: Safely set up a Qube to connect to only one IP address on the Internet
On Thu, Jul 17, 2021 at 12:29PM +0700, unman wrote> On Thu, Jul 15, 2021 at 06:07:59PM +, Michael Singer wrote: >> On Thu, Jul 15, 2021 at 04:50:29PM +0700, unman wrote: >> >>> On Wed, Jul 14, 2021 at 04:35:42PM +, Michael Singer wrote: >> Would you let my Qube, which is supposed to connect to only one IP address on the internet, be based on an extra firewall-vm? Would that more secure? >> >>> You could do this: it would have one particular advantage, in that you >>> could set custom rules in sys-net to restrict access from that >>> sys-firewall to the specified IP address. >> >> Do you have an example of the command line commands you use to set such >> custom rules in an ordinary debian or fedora sys-net? > > Qubes uses NAT, so sys-net sees all traffic coming from the IP address > of sys-firewall. > If you new fw has IP - 10.137.0.200 > And target is 195.10.223.181 > > `nft insert rule filter FORWARD index 1 ip saddr 10.137.0.200 ip daddr > 195.10.223.181 tcp dport https accept` > `nft insert rule filter FORWARD index 2 ip saddr 10.137.0.200 drop` > > Would do it. > Adjust for your case, of course Many thanks, unman! This is well explained. Allow one more question: How would you do the same if sys-net is based on a OpenBSD template? Best regards Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6dd537a2-854d-73fa-4d31-595a72638212%40posteo.de.
Re: [qubes-users] Re: Safely set up a Qube to connect to only one IP address on the Internet
On Thu, Jul 15, 2021 at 06:07:59PM +, Michael Singer wrote: > On Thu, Jul 15, 2021 at 04:50:29PM +0700, unman wrote: > > > On Wed, Jul 14, 2021 at 04:35:42PM +, Michael Singer wrote: > > >> > >> Would you let my Qube, which is supposed to connect to only one IP address > >> on > >> the internet, be based on an extra firewall-vm? Would that more secure? > > > You could do this: it would have one particular advantage, in that you > > could set custom rules in sys-net to restrict access from that > > sys-firewall to the specified IP address. > > Do you have an example of the command line commands you use to set such > custom rules in an ordinary debian or fedora sys-net? Qubes uses NAT, so sys-net sees all traffic coming from the IP address of sys-firewall. If you new fw has IP - 10.137.0.200 And target is 195.10.223.181 `nft insert rule filter FORWARD index 1 ip saddr 10.137.0.200 ip daddr 195.10.223.181 tcp dport https accept` `nft insert rule filter FORWARD index 2 ip saddr 10.137.0.200 drop` Would do it. Adjust for your case, of course > > >> In the Qube settings for the services there is the service > >> "disable-default-route". I have not found anything about what it does. In > >> my > >> case, would it be better to leave it on or turn it off? > > > man qvm-service - this service will remove the default gateway entry. So > > a qube would be able to access immediate neighbours but not step beyond. > > It's not what you want here. > > What are the immediate neighbors of a qube? Qubes that are connected - the netvm, or a qube for which *this* is the netvm. > > Can both a qube using the default route and a qube with the > disable-default-route service turned on access its immediate neighbors, or > only a qube with the disable-default-route service turned on? You can always access immediate neighbours, but will have to adjust the default firewall rules. Look at https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes > > In what situation is it useful for a qube to be able to access its immediate > neighbors? Explained on that page: most useful is file exchange with no Qubes tools installed, but also for testing network code, new pgp or ssh keys, etc. > > All the best > Michael > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20210717102948.GG419%40thirdeyesecurity.org.
Re: [qubes-users] Re: Safely set up a Qube to connect to only one IP address on the Internet
On Wed, Jul 14, 2021 at 04:35:42PM +, Michael Singer wrote: > > On Wed, Jul 14, 2021 at 04:40:29, unman wrote: > > > Disable all unnecessary services in the qube - that means almost all of > > them. > > Where would you look for such services? Look to see what's running in the template/qube. > > Would you let my Qube, which is supposed to connect to only one IP address on > the internet, be based on an extra firewall-vm? Would that more secure? You could do this: it would have one particular advantage, in that you could set custom rules in sys-net to restrict access from that sys-firewall to the specified IP address. > > In the Qube settings for the services there is the service > "disable-default-route". I have not found anything about what it does. In my > case, would it be better to leave it on or turn it off? > man qvm-service - this service will remove the default gateway entry. So a qube would be able to access immediate neighbours but not step beyond. It's not what you want here. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20210715115023.GG20432%40thirdeyesecurity.org.
