On 07/27/2016 12:25 AM, Franz wrote:
On Tue, Jul 26, 2016 at 11:38 AM, Steve Coleman
<steve.cole...@jhuapl.edu <mailto:steve.cole...@jhuapl.edu>> wrote:
Another hack to avoid having to manually type in the addresses is
done with the attached script. Its like Mareks solution, but does
the parsing on the dom0 side
I understand this means this script should be executed directly in dom0,
but isn't this a security problem?
Let's see... In this use case we have a "new" vm we want to give a
filter. So, you fire up the vm and start the script from Dom0.
Then you start your browser and visit the site you want it to work with.
At first it will be dns requests originating from the browser and
answers from you dns server.
The risks here are malformed packets that could trip either tcpdump or
python (in this case). To me, it is very unlikely this could result in
an advanced persistent threat (APT) in Dom0.
Nevertheless, running full streams back-and-forth through any program
like tcpdump with a --pass-io to Dom0 can be considered a possible hazard.
In short: As a way to test what you need to communicate with your bank,
while only dns or icmp packets are considered - like in the tcpdump
example of Marek, it should be OK.
Use it with care.
Greetings,
RB
and the syntax is a little easier. It does the remote tcpdump
command in the vm and the results are returned through the pass-io
mechanism. With the -A option the script then generates the
qvm-firewall add commands to its stdout.
Then, if you want to add that address to the firewall you simply
copy and paste the lines you want from that dom0 command terminal
window into another dom0 command window, and the address is added to
the firewall without any manual typing. If you want, you can add a
netmask (e.g. address/24) to an IP in the target window before
pressing enter.
[user@dom0 ~]$ qvm-fwdenied -A <MyVmName>
qvm-firewall <MyVmName> -add
ec2-54-200-125-198.us-west-2.compute.amazonaws.com
<http://ec2-54-200-125-198.us-west-2.compute.amazonaws.com> any
qvm-firewall <MyVmName> -add 104.244.43.140 any
qvm-firewall <MyVmName> -add 104.244.43.44 any
qvm-firewall <MyVmName> -add
ec2-54-148-80-75.us-west-2.compute.amazonaws.com
<http://ec2-54-148-80-75.us-west-2.compute.amazonaws.com> any
qvm-firewall <MyVmName> -add
ec2-52-88-118-150.us-west-2.compute.amazonaws.com
<http://ec2-52-88-118-150.us-west-2.compute.amazonaws.com> any
qvm-firewall <MyVmName> -add
ec2-52-25-189-162.us-west-2.compute.amazonaws.com
<http://ec2-52-25-189-162.us-west-2.compute.amazonaws.com> any
...
Note that these appear in batches on the console because tcpdump is
in a mode where it exits after some number of captured packets have
been filtered, with the default set to 200 packets. By default it
will repeatedly restart tcpdump for another batch. The -C ### option
allows that default number of packets to be changed.
It would be far better if the script was made to be multi-threaded
so the output of tcpdump could be read while another thread outputs
the commands and asks the user if each entry should be added or not.
I just have not had time to look into that yet. its obviously a work
in progress.
Also it logs everything to /var/tmp/qvm-fwdenied.log if you need to
look at what happened in your last session.
On 07/25/2016 02:14 PM, Franz wrote:
On Mon, Jul 25, 2016 at 2:51 PM, Marek Marczykowski-Górecki
<marma...@invisiblethingslab.com
<mailto:marma...@invisiblethingslab.com>
<mailto:marma...@invisiblethingslab.com
<mailto:marma...@invisiblethingslab.com>>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, Jul 25, 2016 at 02:46:55PM -0300, Franz wrote:
> On Mon, Jul 25, 2016 at 1:24 PM, Marek Marczykowski-Górecki <
> marma...@invisiblethingslab.com
<mailto:marma...@invisiblethingslab.com>
<mailto:marma...@invisiblethingslab.com
<mailto:marma...@invisiblethingslab.com>>> wrote:
> > On Mon, Jul 25, 2016 at 12:06:54PM -0300, Franz wrote:
> > > On Mon, Jul 25, 2016 at 11:11 AM, Marek
Marczykowski-Górecki <
> > > marma...@invisiblethingslab.com
<mailto:marma...@invisiblethingslab.com>
<mailto:marma...@invisiblethingslab.com
<mailto:marma...@invisiblethingslab.com>>> wrote:
> > > > On Mon, Jul 25, 2016 at 09:37:10AM -0400, Steve
Coleman wrote:
> > > Anyway regarding Marek script I tried it in a dispVM,
it writes:
> > > tcpdump: listening on eth0, link-type EN10MB
(Ethernet), capture size
> > > 262144 bytes
> > >
> > > but then if on the same dispVM I use firefox to go to
a gmail account or
> > > another account, nothing appears on the terminal.
> > >
> > > I even looked if anything changed on dispVM firewall
rules, but found
> > > nothing different.
> > >
> > > So how is this script working?
> >
> > I've just tried and it is still working. It should
output list of
> > blocked destinations in format of qvm-firewall commands
ready to load
> > into Qubes firewall.
> >
> ,
> "blocked destinations"? This makes me think that I should
block
> destinations somehow before running the script. Is that so?
Yes, change VM firewall to deny by default.
ok now it works, it outputted a list of addresses. But I have to
paste
this list on firewall rules of that VM and this is on Qubes
Manager that
is on Dom0, so normal copy paste between VMs does not work.
I can only imagine of writing the addresses on a text file, then
copying
the file to Dom0, using
|qvm-run --pass-io <src-vm> 'cat /path/to/file_in_src_domain' >
/path/to/file_name_in_dom0|
opening the file in Dom0 (which seems half prohibited) and finally
copying the adresses to Qubes Manager.
Otherwise I'll have to digit manually the addresses to Qubes
Manager.
Which is the suggested way to do that?
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally
read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXllGTAAoJENuP0xzK19cswBgH/A0OxAIaR7hzEfET8uAcNeiC
IjTNevVwL/z1ymB4HLwdQmOi3AQ5q8db/AoMd37AC06yzxEJkEQzt5HsMbnEK4UI
SFlKbKr5t7/eyK9R7B6dQH2dBL69ODZf8wQWl5T3oEJj3cZOCLOkAQZcjNHgPefU
AX2cKoi3q7TLxy810f08o+KicA2VclBA5Q66tf6GSoFG44VWfBtxZgkHTZ/s9aWW
cUvNfHIZtSZNiIOEJKLHP3y7tLAFZXOvdtIqIo2/jxWIJSc+47ypPxpOSiAdiA79
erUry7spy9ta5GNlblBf5fSGaQaYRBeEGl91+b++pX/zTg1/sMbv3hoCFpVHYnI=
=XmDi
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google
Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to qubes-users+unsubscr...@googlegroups.com
<mailto:qubes-users%2bunsubscr...@googlegroups.com>.
To post to this group, send email to qubes-users@googlegroups.com
<mailto:qubes-users@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/d154763d-ce5f-e02c-dee6-481ec0d4b02c%40jhuapl.edu.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google
Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to qubes-users+unsubscr...@googlegroups.com
<mailto:qubes-users+unsubscr...@googlegroups.com>.
To post to this group, send email to qubes-users@googlegroups.com
<mailto:qubes-users@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/CAPzH-qAOek%2BGoWcy%3DtrgDTM9kiu10iUDg1%3D0r6c4xJ1iu%3DFFAg%40mail.gmail.com
<https://groups.google.com/d/msgid/qubes-users/CAPzH-qAOek%2BGoWcy%3DtrgDTM9kiu10iUDg1%3D0r6c4xJ1iu%3DFFAg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/f3939104-f11d-e567-2c33-50530af6e9f3%40reboli.nl.
For more options, visit https://groups.google.com/d/optout.
