[prev in list] [next in list] [prev in thread] [next in thread]
List: qubes-devel
Subject: Re: [qubes-devel] Qubes firewall dom0->VM interface
From: Tray Torrance <torrancew () gmail ! com>
Date: 2017-04-19 4:02:03
Message-ID: CAKBWiwiD4uyd5Hj6x2DiAxODjyfxBt0hNricRdwQA+ib+aC+bg () mail ! gmail ! com
[Download RAW message or body]
Note that by using dnsmasq's ipset support workarounds to this limitation
could be devised. I rely on this feature for a specific proxy VM, but today
I manually update the dnsmasq's config if I need to add more domains.
Perhaps salt could be used to glue the dom0 mechanism to the proxy's
dnsmasq's config?
On Apr 16, 2017 23:01, "Chris Laprise" <tasket@openmailbox.org> wrote:
> On 04/16/2017 08:29 PM, 'David Shleifman' via qubes-devel wrote:
>
> > On 01/14/2016 05:38 PM, Marek Marczykowski-Górecki wrote:
> >
> > > Current proposal
> > > ================
> > >
> > . . .
> >
> > > - convert the rules to iptables/whatever in ProxyVM
> > >
> >
> >
> > https://www.qubes-os.org/doc/firewall/#how-to-edit-rules
> > points out to the known limitation:
> > - whenever one specifies a rule by DNS name, it is
> > resolved to IP(s) at the moment of applying the rules.
> >
> > Please, add to this proposal:
> >
> > - keep the original name; give user an ability to trigger
> > resolution of all names associated with a given VM Firewall.
> > This ability is supposed to reduce the hardship of the aforesaid
> > limitation.
> >
> >
> > Thanks,
> > - David
> >
> >
> A more usable variation of that may be to detect the presence of domain
> names, and enable automatic/recurring name resolution.
>
> --
>
> Chris Laprise, tasket@openmailbox.org
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-devel" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-devel+unsubscribe@googlegroups.com.
> To post to this group, send email to qubes-devel@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/ms
> gid/qubes-devel/9f1ec044-1115-ba28-7e69-b7f8179d155c%40openmailbox.org.
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/CAKBWiwiD4uyd5Hj6x2DiAxODjyfxBt0hNricRdwQA%2Bib%2BaC%2Bbg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
[Attachment #3 (text/html)]
<div dir="auto">Note that by using dnsmasq's ipset support workarounds to this \
limitation could be devised. I rely on this feature for a specific proxy VM, but \
today I manually update the dnsmasq's config if I need to add more domains. \
Perhaps salt could be used to glue the dom0 mechanism to the proxy's \
dnsmasq's config?</div><div class="gmail_extra"><br><div class="gmail_quote">On \
Apr 16, 2017 23:01, "Chris Laprise" <<a \
href="mailto:tasket@openmailbox.org">tasket@openmailbox.org</a>> wrote:<br \
type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">On 04/16/2017 08:29 PM, 'David \
Shleifman' via qubes-devel wrote:<br> <blockquote class="gmail_quote" \
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On 01/14/2016 \
05:38 PM, Marek Marczykowski-Górecki wrote:<br> <blockquote class="gmail_quote" \
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Current \
proposal<br> ================<br>
</blockquote>
. . .<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">
- convert the rules to iptables/whatever in ProxyVM<br>
</blockquote>
<br>
<br>
<a href="https://www.qubes-os.org/doc/firewall/#how-to-edit-rules" rel="noreferrer" \
target="_blank">https://www.qubes-os.org/doc/f<wbr>irewall/#how-to-edit-rules</a><br> \
points out to the known limitation:<br>
- whenever one specifies a rule by DNS name, it is<br>
resolved to IP(s) at the moment of applying the rules.<br>
<br>
Please, add to this proposal:<br>
<br>
- keep the original name; give user an ability to trigger<br>
resolution of all names associated with a given VM Firewall.<br>
This ability is supposed to reduce the hardship of the aforesaid<br>
limitation.<br>
<br>
<br>
Thanks,<br>
- David<br>
<br>
</blockquote>
<br>
A more usable variation of that may be to detect the presence of domain names, and \
enable automatic/recurring name resolution.<br> <br>
-- <br>
<br>
Chris Laprise, <a href="mailto:tasket@openmailbox.org" \
target="_blank">tasket@openmailbox.org</a><br> <a href="https://twitter.com/ttaskett" \
rel="noreferrer" target="_blank">https://twitter.com/ttaskett</a><br>
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886<br>
<br>
-- <br>
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group.<br> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:qubes-devel%2Bunsubscribe@googlegroups.com" \
target="_blank">qubes-devel+unsubscribe@google<wbr>groups.com</a>.<br> To post to \
this group, send email to <a href="mailto:qubes-devel@googlegroups.com" \
target="_blank">qubes-devel@googlegroups.com</a>.<br> To view this discussion on the \
web visit <a href="https://groups.google.com/d/msgid/qubes-devel/9f1ec044-1115-ba28-7e69-b7f8179d155c%40openmailbox.org" \
rel="noreferrer" target="_blank">https://groups.google.com/d/ms<wbr>gid/qubes-devel/9f1ec044-1115-<wbr>ba28-7e69-b7f8179d155c%40openm<wbr>ailbox.org</a>.<br>
For more options, visit <a href="https://groups.google.com/d/optout" \
rel="noreferrer" target="_blank">https://groups.google.com/d/op<wbr>tout</a>.<br> \
</blockquote></div></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group.<br /> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:qubes-devel+unsubscribe@googlegroups.com">qubes-devel+unsubscribe@googlegroups.com</a>.<br \
/> To post to this group, send email to <a \
href="mailto:qubes-devel@googlegroups.com">qubes-devel@googlegroups.com</a>.<br /> To \
view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/qubes-devel/CAKBWiwiD4uyd5Hj6x2DiAxODjyfxBt0hN \
ricRdwQA%2Bib%2BaC%2Bbg%40mail.gmail.com?utm_medium=email&utm_source=footer">https://g \
roups.google.com/d/msgid/qubes-devel/CAKBWiwiD4uyd5Hj6x2DiAxODjyfxBt0hNricRdwQA%2Bib%2BaC%2Bbg%40mail.gmail.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic