On 04/19/2018 10:59 PM, Chris Laprise wrote:
On 04/19/2018 10:54 PM, Chris Laprise wrote:
On 04/19/2018 09:10 PM, Marek Marczykowski-Górecki wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Thu, Apr 19, 2018 at 08:29:17PM -0400, Chris Laprise wrote:
A departure from the R3.x behavior that I think may compromise network
security is that in R4.0 proxyVMs /proc/sys/net/ipv4/ip_forward is
'1' while
qubes-firewall is starting and executing firewall scripts.
Unless there is some detail that makes ip_forward moot, I think
there should
be a patch (ex: /etc/sysctl.conf) to have the initial VM forwarding
state at
'0' until qubes-firewall finishes initializing.
There is already service ordering that make qubes-firewall starting
before qubes-network (which enables ip_forward). The first thing that
qubes-firewall service does is insert default DROP rule into appropriate
forward table. But indeed there is nothing that guarantee that
ip_forward is enabled only after calling user script.
If qubes-network enables ip_forward later, its likely that something
else prior to that (and qubes-firewall) is also enabling it.
A qubes-firewall.d script of 'cat /proc/sys/net/ipv4/ip_forward
>/somefile' shows the value == 1.
OTOH, if eth0 interface is not up at the point (not sure on that
point) then it may not matter.
BTW another test from qubes-firewall.d shows that eth0 is 'UP' at that
time.
Clarification: eth0 is UP, but not vif+.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/9595584d-59ce-478f-fc8d-c15a908f9dfd%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
