On Fri, 24 May 2024 15:59:04 +0200 Marek Marczykowski-Górecki wrote: > Yes, but also note the antispoof chain (used for all vif+ interfaces) > ends with a drop rule. > So, for vif only explicitly allowed (source) IPs are accepted, others > are blocked. And for eth0 it's the opposite: IPs used elsewhere are > blocked and others are allowed.
Yes, I understand. To do this downstream thing in ingress, we should use a separate ingress chain for eth0. I have already done the per-vif chain, as you suggested. I will do this too. Please give me some time, as I am quite busy these days. I will send back the updated script, so you can have a look. > > True. There is a reason why the Team Cymru adds a warning to know > > one's network. > > > > It is possible to use a whitelist and a permissive rule before bogon > > dropping, then process these particular packets later down the > > hooks. Creating this whitelist has a usability burden, so perhaps > > it can be defined through some kind of UI, similar to that for > > "Default and service qubes" in global config. What do you say? > > That can be as some optional configuration user can opt-in to. I don't > want this part in the default rules, even if user could adjust it make > it work in their particular network. I understand you want to avoid extra complexity and that makes sense. Re. your earlier: > Well, this is too broad, as for example sys-net is allowed to use its > own IP to send packets down the network (like to sys-firewall or other > qubes). This happens for example for ICMP error packets. It would also > break any communication to your LAN (like, using network printer in > your LAN)... > > This list may work on internet-only router without any kind of LAN > involved only. The problem is that this implies trust in the infrastructure and in the [generally distrusted] sys-net too, i.e. a compromised device/qube can send malicious traffic and the current permissive implementation allows everything except the downstream, it means unwanted packets travel all the way to the filter hook (including bogons), rather than be dropped early. Speaking of this, are there any plans for D/DoS protection for Qubes? (XDP, BPF) -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20240527192703.0df2f151%40localhost.
