[prev in list] [next in list] [prev in thread] [next in thread]
List: qubes-devel
Subject: Re: [qubes-devel] Simplify Qubes firewall forwarding in proxy vms?
From: Chris Laprise <tasket () openmailbox ! org>
Date: 2016-05-31 11:41:31
Message-ID: 574D786B.1060006 () openmailbox ! org
[Download RAW message or body]
On 05/30/2016 10:27 PM, HW42 wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Chris Laprise:
> > Hi Marek,
> >
> > While focusing on the vpn stuff[1] I may have stumbled upon a way to
> > make the forwarding chain much simpler.
> >
> > Replace all the specific rules for downstream vm addresses with this:
> >
> > FORWARD -i vif+ -d subnet.1 -j ACCEPT
> > FORWARD -i vif+ -d subnet.254 -j ACCEPT
> >
> > So qubes-firewall would become simpler without the need to iterate
> > over vm addresses associated with a proxy vm. Its probably more
> > effective in general to focus on interfaces where possible, instead of
> > IPs (can't source IP addresses be spoofed?).
> >
> > What do you think?
> I think this doesn't work since you can have per VM firewall rules and
> some may allow DNS and some not.
>
> Source IP address spoofing should be prevented by the rules in the "raw"
> table. (see 'iptables -vnL -t raw')
>
> HW42
I still wonder if the source IPs can be spoofed by a malicious vm. In
that case would a separate entry for each vif be preferable?
Chris
--
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/574D786B.1060006%40openmailbox.org. For \
more options, visit https://groups.google.com/d/optout.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic