Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement new firewall dom0->VM interface #1815

Closed
marmarek opened this issue Mar 6, 2016 · 9 comments
Closed

Implement new firewall dom0->VM interface #1815

marmarek opened this issue Mar 6, 2016 · 9 comments
Labels
C: core P: major Priority: major. Between "default" and "critical" in severity. r4.0-fc24-cur-test r4.0-fc25-cur-test r4.0-jessie-cur-test r4.0-stretch-cur-test release notes This issue should be mentioned in the release notes. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Milestone
Release 4.0

Comments

@marmarek
Copy link
Member

marmarek commented Mar 6, 2016

This is placeholder for the outcome of this discussion: https://groups.google.com/d/msgid/qubes-devel/20160114163808.GW4892%40mail-itl
@marmarek marmarek added T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. C: core P: major Priority: major. Between "default" and "critical" in severity. release notes This issue should be mentioned in the release notes. labels Mar 6, 2016
@marmarek marmarek added this to the Release 4.0 milestone Mar 6, 2016
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Mar 7, 2016
@marmarek
vm: remove obsolete firewall handling code
09c619a 
There is no vm.write_iptables_xenstore_entry().

QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Mar 7, 2016
@marmarek
WIP vm: stub for new firewall API
370bfd4 
 - introduce 'firewall-changed' event
 - add reload_firewall_for_vm stub function

Should that function be private, called only from appropriate event
handlers?

QubesOS/qubes-issues#1815
woju pushed a commit to woju/qubes-core-admin that referenced this issue Mar 11, 2016
@marmarek @woju
vm: remove obsolete firewall handling code
82731e0 
There is no vm.write_iptables_xenstore_entry().

QubesOS/qubes-issues#1815
woju pushed a commit to woju/qubes-core-admin that referenced this issue Mar 11, 2016
@marmarek @woju
WIP vm: stub for new firewall API
885363b 
 - introduce 'firewall-changed' event
 - add reload_firewall_for_vm stub function

Should that function be private, called only from appropriate event
handlers?

QubesOS/qubes-issues#1815
@adrelanos
Copy link
Member

The outcome is... Quote @marmarek:

  1. have updates proxy running over qrexec instead of TCP/IP, so template will not have its own netvm at all [comment by me: --> implement qrexec based updates proxy #1854]
  2. ease integration of "qubes firewall rules" with other firewalls (like Whonix one) [comment by me: this ticket]

@adrelanos adrelanos mentioned this issue Mar 18, 2016
Closed
woju pushed a commit to woju/qubes-core-admin that referenced this issue Mar 21, 2016
@marmarek @woju
vm: remove obsolete firewall handling code
736773d 
There is no vm.write_iptables_xenstore_entry().

QubesOS/qubes-issues#1815
woju pushed a commit to woju/qubes-core-admin that referenced this issue Mar 21, 2016
@marmarek @woju
vm: stub for new firewall API
3b1238f 
 - introduce 'firewall-changed' event
 - add reload_firewall_for_vm stub function

Should that function be private, called only from appropriate event
handlers?

QubesOS/qubes-issues#1815
@andrewdavidwong andrewdavidwong mentioned this issue May 19, 2016
Closed
@andrewdavidwong
Copy link
Member

andrewdavidwong commented May 19, 2016
edited
Loading

Questions pertaining to using Whonix with firewall rules keep coming up, so I'm providing a response here so that I can direct people to this issue:

Whonix-Gateway does not currently support firewall rules. This is a known issue, which I brought up here and here, which branched off here and is being tracked in #1815 (this issue) and here.

Short answer: For now, there's no way to enforce firewall rules for a VM using a whonix-gw as its NetVM, but a solution is in the works.

andrewdavidwong added a commit that referenced this issue May 31, 2016
@andrewdavidwong
Track #1815
a6d2f36
marmarek added a commit to QubesOS/qubes-doc that referenced this issue Sep 6, 2016
@marmarek
vm-interface: firewall interface for R4.0+
66134b8 
QubesOS/qubes-issues#1815
@marmarek
Copy link
Member Author

marmarek commented Sep 6, 2016

I've documented new (yet to be implemented) interface for firewall rules:
https://www.qubes-os.org/doc/vm-interface/

As for implementation (in the VM), I plan to replace current iptables-based qubes-firewall script, with nftables one. Thanks to independent tables it will allow to avoid interference between different firewall tools. For example it will allow to respect those rules by Whonix Gateway, without breaking Whonix firewall.
This is somehow extended idea of #974
/cc @adrelanos

marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 8, 2016
@marmarek
qubes/firewall: new firewall interface
b8020d3 
First part - handling firewall.xml and rules formatting.
Specification on https://qubes-os.org/doc/vm-interface/

TODO (for dom0):
 - plug into QubesVM object
 - expose rules in QubesDB (including reloading)
 - drop old functions (vm.get_firewall_conf etc)

QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-agent-linux that referenced this issue Sep 12, 2016
@marmarek
network: rewrite qubes-firewall daemon
ee0a292 
This rewrite is mainly to adopt new interface for Qubes 4.x.
Main changes:
 - change language from bash to python, introduce qubesagent python package
 - support both nftables (preferred) and iptables
 - new interface (https://qubes-os.org/doc/vm-interface/)
 - IPv6 support
 - unit tests included
 - nftables version support running along with other firewall loaded

Fixes QubesOS/qubes-issues#1815
QubesOS/qubes-issues#718
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 12, 2016
@marmarek
qubes/firewall: new firewall interface
85bc8b8 
First part - handling firewall.xml and rules formatting.
Specification on https://qubes-os.org/doc/vm-interface/

TODO (for dom0):
 - plug into QubesVM object
 - expose rules in QubesDB (including reloading)
 - drop old functions (vm.get_firewall_conf etc)

QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 12, 2016
@marmarek
qubes/vm: plug in new firewall code, create QubesDB entries
7bc4100 
QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 12, 2016
@marmarek
qubes/firewall: allow listing only IPv4/IPv6 rules
164f699 
This will allow setting only IPv4-related rules to IPv4 address, and the
same for IPv6

QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 12, 2016
@marmarek
qubes/ext/r3compat: update firewall handling for new API
86ccbca 
QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 12, 2016
@marmarek
tests: update for new firewall API
72f8892 
QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 12, 2016
@marmarek
qubes/firewall: apply only IPv4 rules
84935ac 
Currently dom0 do not assign IPv6 addresses for VMs, so there is no
sense in IPv6 firewall yet.

QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 19, 2016
@marmarek
qubes/firewall: make xml parameter to Rule optional
51e3e31 
QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 19, 2016
@marmarek
qubes: add qvm-firewall tool
e721590 
Fixes QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 19, 2016
@marmarek
qubes/firewall: new firewall interface
32bd18c 
First part - handling firewall.xml and rules formatting.
Specification on https://qubes-os.org/doc/vm-interface/

TODO (for dom0):
 - plug into QubesVM object
 - expose rules in QubesDB (including reloading)
 - drop old functions (vm.get_firewall_conf etc)

QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 19, 2016
@marmarek
qubes/vm: plug in new firewall code, create QubesDB entries
718d8b4 
QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 19, 2016
@marmarek
qubes/ext/r3compat: update firewall handling for new API
771f85c 
QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 19, 2016
@marmarek
tests: update for new firewall API
904aa6b 
QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 19, 2016
@marmarek
qubes/firewall: apply only IPv4 rules
3b6777e 
Currently dom0 do not assign IPv6 addresses for VMs, so there is no
sense in IPv6 firewall yet.

QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 19, 2016
@marmarek
qubes/firewall: make xml parameter to Rule optional
2f05edb 
QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 19, 2016
@marmarek
qubes: add qvm-firewall tool
097d08f 
Fixes QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 21, 2016
@marmarek
qubes/firewall: new firewall interface
1da75a6 
First part - handling firewall.xml and rules formatting.
Specification on https://qubes-os.org/doc/vm-interface/

TODO (for dom0):
 - plug into QubesVM object
 - expose rules in QubesDB (including reloading)
 - drop old functions (vm.get_firewall_conf etc)

QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 21, 2016
@marmarek
qubes/vm: plug in new firewall code, create QubesDB entries
e01f7b9 
QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 21, 2016
@marmarek
qubes/firewall: allow listing only IPv4/IPv6 rules
5123f46 
This will allow setting only IPv4-related rules to IPv4 address, and the
same for IPv6

QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 21, 2016
@marmarek
qubes/ext/r3compat: update firewall handling for new API
d5b3d97 
QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 21, 2016
@marmarek
tests: update for new firewall API
202042b 
QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 21, 2016
@marmarek
qubes/firewall: apply only IPv4 rules
cdc9773 
Currently dom0 do not assign IPv6 addresses for VMs, so there is no
sense in IPv6 firewall yet.

QubesOS/qubes-issues#1815
marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Sep 21, 2016
@marmarek
qubes/firewall: make xml parameter to Rule optional
f8dd7e6 
QubesOS/qubes-issues#1815
@marmarek marmarek mentioned this issue Oct 5, 2016
Closed
@woju woju mentioned this issue Oct 24, 2016
Closed
@marmarek marmarek mentioned this issue Nov 28, 2016
Closed
@rustybird rustybird mentioned this issue Apr 26, 2017
Closed
@ubestemt
Copy link

Shouldn't a warning be displayed when using sys-whonix as NetVM and opening the Firewall tab in VM Preferences, just like it is when sys-net is used as NetVM? Otherwise, how will the average user know?

@andrewdavidwong
Copy link
Member

Shouldn't a warning be displayed when using sys-whonix as NetVM and opening the Firewall tab in VM Preferences, just like it is when sys-net is used as NetVM? Otherwise, how will the average user know?

Sounds like this is covered by #2003.

@qubesos-bot
Copy link

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.0-1.fc24 has been pushed to the r4.0 testing repository for the Fedora fc24 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot mentioned this issue Jun 9, 2017
Closed
@qubesos-bot
Copy link

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.0-1.fc25 has been pushed to the r4.0 testing repository for the Fedora fc25 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-core-agent_4.0.0-1+deb8u1 has been pushed to the r4.0 testing repository for the Debian jessie template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing jessie-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-core-agent_4.0.0-1+deb9u1 has been pushed to the r4.0 testing repository for the Debian stretch template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@na-- na-- mentioned this issue Oct 30, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: core P: major Priority: major. Between "default" and "critical" in severity. r4.0-fc24-cur-test r4.0-fc25-cur-test r4.0-jessie-cur-test r4.0-stretch-cur-test release notes This issue should be mentioned in the release notes. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Projects
None yet
Milestone
Release 4.0
Development

No branches or pull requests
5 participants
@marmarek @adrelanos @andrewdavidwong @qubesos-bot @ubestemt