Re: [qubes-users] why was DNS/ICMP removed from Qubes manager/firewall in R4?

Wed, 13 Feb 2019 19:55:01 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wed, Feb 13, 2019 at 08:42:10AM -0800, simon.new...@gmail.com wrote:
> In 3, if i clicked on "block connections" in the Qubes manager firewall 
> section, there was (if memory serves me) an option to block DNS and ICMP. 
> 
> That is not present in R4 (though docs say you can disable DNS and ICMP 
> manually)
> 
> I'm just wondering what the logic behind the removal was? I would have 
> thought that a general user who clicks "block connections" on Qube would not 
> expect the qube to be able to actually send out and receive network packets 
> such as DNS or ICMP. This presents information leakage scenarios (default DNS 
> lookups of given qube) and also potential egress vectors if a qube is ever 
> compromised (DNS tunnelling, ICMP tunnelling). 

Let me quote full text you can find on firewall tab there:

    NOTE: To block all network access, set Networking to (none) on the
    Basic settings tab. This tab provides a very simplified firewall
    configuration. All DNS requests and ICMP (pings) will be allowed. For
    more granular control, use the command line tool qvm-firewall.

There is clear message what to do if you want to cut the qube from the
network.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxk5lQACgkQ24/THMrX
1yzyBQf+ID5V7ema8i77kmTCnsWfNeSPUQnlTjuQbF1oNZJFNeAwAaqp3FLO+Ljt
Slj7e9KjbPYrxxuW40LIL05G78Yqs/MpZ1mA6/Yfy6J2tvoluucTFvatiHqiodO3
HLqyRSehMXqqzKTHNrLrfLWWyz6ykbP/MmIw1zsxjcXj8RCNuEMc5F4qC6npluWN
cahMNcZLELo4PsrjzhqTrSr0BmlVLDQ5QLwoJGi8wSDGMEIDX3qvwq56wh6O0MgR
J780J043BcrIiAfZorrG+WfpLebkU9uSjmOENxcZQQwz2JmEdod9dU1vUEPSdBY1
EKOq9FhCjMI6De6nNgiMf63Y47CxuQ==
=9dvG
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190214035356.GD9610%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Reply via email to