On 10/13/2016 09:31 PM, Manuel Amador (Rudd-O) wrote:
Oops about what? Unlike the official Qubes VPN documentation, which counsels people to write scripts that make non-atomic modifications to their firewall, which actually and demonstrably have a leak between Qubes firewall updates and VPN rules setup, my work doesn't leak traffic in-between the addition of iptables rules.
The qubes-firewall-user-script is a feature of Qubes firewall. And its one of the original Qubes docs that encourage people to use it. So, yes, there is a vulnerability in Qubes firewall, and it should be noted foremost in the Known Issues for the project.
The VPN use case is probably one of the least-vulnerable examples of leakiness in Qubes firewall, because it requires multiple failures to line up in a small window. That means non-VPN use cases are probably at least as vulnerable. Its the underlying problem which is my overriding concern.
Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9f1744c7-7eb1-f240-731c-7ccbd86179b0%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
