Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

qubes-firewall service should policy only outgoing VM traffic #3644

Closed
marmarek opened this issue Mar 1, 2018 · 8 comments · Fixed by QubesOS/qubes-core-agent-linux#107
Closed

qubes-firewall service should policy only outgoing VM traffic #3644

marmarek opened this issue Mar 1, 2018 · 8 comments · Fixed by QubesOS/qubes-core-agent-linux#107
Assignees
@marmarek
Labels
C: core C: templates P: minor Priority: minor. The lowest priority, below "default." r4.0-buster-stable r4.0-centos7-stable r4.0-fc26-stable r4.0-jessie-stable r4.0-stretch-stable
Milestone
Release 4.0 updates

Comments

@marmarek
Copy link
Member

marmarek commented Mar 1, 2018

Qubes OS version:

R4.0

qubes-firewall service is designed to policy outgoing traffic from VMs. This is also the only part that can be configured in it (the traffic rules are assigned to source address). Currently it blocks any traffic not explicitly allowed by per-VM rules. This makes inter-VM networking harder to configure. Especially when the service use nftables instead of iptables.
@marmarek marmarek added bug C: core C: templates P: minor Priority: minor. The lowest priority, below "default." labels Mar 1, 2018
@marmarek marmarek added this to the Release 4.0 milestone Mar 1, 2018
@marmarek marmarek self-assigned this Mar 1, 2018
@marmarek marmarek mentioned this issue Mar 1, 2018
Merged
@yonjah
Copy link

yonjah commented Mar 26, 2018

@marmarek is there any explanation on how to get inter-VM networking working in R4.0 ?
Documentation update seem to only apply for external communication and as much as I tried getting nftables configuration right I can only get pings going but nothing else

@marmarek
Copy link
Member Author

marmarek commented Apr 2, 2018

https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes should work (no need for manual nftables rules).
If you set restrictive firewall rules in qube settings (firewall tab), you need to also allow traffic there.

marmarek added a commit to marmarek/qubes-core-agent-linux that referenced this issue Apr 2, 2018
@marmarek
qubes-firewall: handle only traffic originating from VMs
d045990 
Ignore packets coming from non-vif interfaces early.

Fixes QubesOS/qubes-issues#3644
marmarek added a commit to marmarek/qubes-core-agent-linux that referenced this issue Apr 3, 2018
@marmarek
qubes-firewall: handle only traffic originating from VMs
53c9b45 
Ignore packets coming from non-vif interfaces early.

Fixes QubesOS/qubes-issues#3644
@marmarek marmarek mentioned this issue Apr 3, 2018
Merged
@qubesos-bot
Copy link

Automated announcement from builder-github

The component core-agent-linux (including package python2-dnf-plugins-qubes-hooks-4.0.25-1.fc26) has been pushed to the r4.0 testing repository for the Fedora template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot mentioned this issue Apr 21, 2018
Closed
@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-core-agent_4.0.25-1+deb9u1 has been pushed to the r4.0 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.0 testing repository for the CentOS centos7 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The component core-agent-linux (including package python2-dnf-plugins-qubes-hooks-4.0.28-1.fc26) has been pushed to the r4.0 stable repository for the Fedora template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.0 stable repository for the Fedora centos7 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-core-agent_4.0.28-1+deb9u1 has been pushed to the r4.0 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marmarek marmarek

Labels
C: core C: templates P: minor Priority: minor. The lowest priority, below "default." r4.0-buster-stable r4.0-centos7-stable r4.0-fc26-stable r4.0-jessie-stable r4.0-stretch-stable
Projects
None yet
Milestone
Release 4.0 updates
Development

Successfully merging a pull request may close this issue.

Network fixes marmarek/qubes-core-agent-linux
4 participants
@marmarek @yonjah @andrewdavidwong @qubesos-bot