-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2016-09-20 10:16, mittend...@digitrace.de wrote: > Hey, > > Firewall rules are set for a specific VM/Qube. From common understanding > people would probably think that those rules are active no matter what > happens outside of that very VM/Qube, but in fact it seems like those rules > are active if and only if there is an ProxyVM connected to that VM/Qube. > > Examples: > > 1) I can configure firewall rules for a ProxyVM, but they are not actived, if > that ProxyVM is connected to a NetVM (if I connect another ProxyVM in > between, this might probably work?!) >
Correct. Normally, it wouldn't make sense to try to enforce firewall rules for a FirewallVM. That's why the default sys-firewall and sys-net work the way they do. However, if you have a need for this, you're free to create your own FirewallVMs and chain them together. > 2) I can configure firewall rules for a AppVM, which will not be active if > that VM is connected > Assuming you meant "unconnected," that's right. The reasoning here is that the purpose of firewall rules is to govern network traffic. But if a VM has no NetVM (i.e., has no network access at all), then there's no network traffic to govern. > And: What happens if a ProxyVM does not implement the firewall service, or if > the firewall service crashes in the ProxyVM ? > I cannot find more information about the firewall mechanism than "centrally > managed in Dom0 and exposed to each Proxy VM through Xen store" from > http://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html > Take a look at these pages: https://www.qubes-os.org/doc/qubes-firewall/ https://www.qubes-os.org/doc/networking/ > Ideas: > a) A warning if an AppVM is (about to be) connected to a NetVM (instead of a > ProxyVM). > > b) Do not allow "firewall rules" being set for ProxyVMs (I think Proxy-Chains > are rather unlikely being used?!) > > c) A warning about DNS-Names in firewall rules > > [c) A warning if a connected ProxyVM does not activate the firewall rules] Thanks! This general suggestion has previously been made and is currently being tracked here: https://github.com/QubesOS/qubes-issues/issues/2003 Also related: https://github.com/QubesOS/qubes-issues/issues/2248 - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJX4lvEAAoJENtN07w5UDAwgzwQAMou4iQfl/BV90/VJp7FO5X0 nOiqR2Mqc1094tsCuX1Lysqbsal0jUhmbAVXuxqR3iFkZiXO3u8p3o8VD1TNrZQM Ffd2XGOrIEjGosB2CZS1mj6D/vUv8kg33eqQbmREbVU3mCzoqYoIe4NXHi5NLcHC IJYJOFO+WqFHXhk6AEHF0F+pL2p+Vaa1macJ5XiuXzhOuwlghNGYgObllLMo2jJe uPea/S+vqVtf5VIYJ5rKm39i+qjZIsCIWRI7SxkrNQ0EgpY5tMRPPPyAb7RVNAQu +OSgS3YDH40y0b+fVcWQofwGGYbZU5KXZE72F0VXpycdV0XgknEJ/AqNVLWJnPwH G97gK90CkwHboW9F9GxS0FH+cOP6V4VkLh9SujO5adhaROio5c3hCjDJuFTeQTIg 8O088SAMGUIxmjnEpuxFCeQew4BSc23NDl2ru16Z81lMuIuqgj6TXim924E14syx YhHjQL3iyQK34n2rLmqLcHr4GDa5sQzGRfclJx9rfkiAbtFACPywlka/zaq0Y85q kgk5IDto7yL9Zsq7OD9clSlvtg6TNbI9fL19bC8l7iV+MJ5kiFGSNraWd+RMn9dd tA7sVaqCKqNnteWVFjsITzwDIUwAeTCldPLtwzUk0Hkofi1ebWksMVrgg/SSLvtK HpKs3MEub72u25IfgCVp =CxIx -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a9e56f9a-d8e1-9f85-f00b-6e83902fbc29%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.