[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qubes-devel
Subject:    Re: [qubes-devel] Simplify Qubes firewall forwarding in proxy vms?
From:       Chris Laprise <tasket () openmailbox ! org>
Date:       2016-05-31 11:41:31
Message-ID: 574D786B.1060006 () openmailbox ! org
[Download RAW message or body]



On 05/30/2016 10:27 PM, HW42 wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Chris Laprise:
> > Hi Marek,
> > 
> > While focusing on the vpn stuff[1] I may have stumbled upon a way to
> > make the forwarding chain much simpler.
> > 
> > Replace all the specific rules for downstream vm addresses with this:
> > 
> > FORWARD -i vif+ -d subnet.1 -j ACCEPT
> > FORWARD -i vif+ -d subnet.254 -j ACCEPT
> > 
> > So qubes-firewall would become simpler without the need to iterate
> > over vm addresses associated with a proxy vm. Its probably more
> > effective in general to focus on interfaces where possible, instead of
> > IPs (can't source IP addresses be spoofed?).
> > 
> > What do you think?
> I think this doesn't work since you can have per VM firewall rules and
> some may allow DNS and some not.
> 
> Source IP address spoofing should be prevented by the rules in the "raw"
> table. (see 'iptables -vnL -t raw')
> 
> HW42

I still wonder if the source IPs can be spoofed by a malicious vm. In 
that case would a separate entry for each vif be preferable?

Chris

-- 
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/574D786B.1060006%40openmailbox.org. For \
more options, visit https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]