There is an issue that talks about the change: https://github.com/QubesOS/qubes-issues/issues/4141 <https://github.com/QubesOS/qubes-issues/issues/4141>
They are willing to port it back to how it should be if someone does the interface to re-add those options. -- Securely sent with Tutanota. Get your own encrypted, ad-free mailbox: https://tutanota.com Feb 14, 2019, 11:59 AM by simon.new...@gmail.com: > On Thursday, February 14, 2019 at 11:54:28 AM UTC, simon....@gmail.com wrote: > >> On Thursday, February 14, 2019 at 3:54:04 AM UTC, Marek Marczykowski-Górecki >> wrote: >> > -----BEGIN PGP SIGNED MESSAGE----- >> > Hash: SHA256 >> > >> > On Wed, Feb 13, 2019 at 08:42:10AM -0800, >> simon.new...@gmail.com >> > <mailto:simon.new...@gmail.com>>> wrote: >> > > In 3, if i clicked on "block connections" in the Qubes manager firewall >> > > section, there was (if memory serves me) an option to block DNS and >> > > ICMP. >> > > >> > > That is not present in R4 (though docs say you can disable DNS and ICMP >> > > manually) >> > > >> > > I'm just wondering what the logic behind the removal was? I would have >> > > thought that a general user who clicks "block connections" on Qube would >> > > not expect the qube to be able to actually send out and receive network >> > > packets such as DNS or ICMP. This presents information leakage scenarios >> > > (default DNS lookups of given qube) and also potential egress vectors if >> > > a qube is ever compromised (DNS tunnelling, ICMP tunnelling). >> > >> > Let me quote full text you can find on firewall tab there: >> > >> > NOTE: To block all network access, set Networking to (none) on the >> > Basic settings tab. This tab provides a very simplified firewall >> > configuration. All DNS requests and ICMP (pings) will be allowed. For >> > more granular control, use the command line tool qvm-firewall. >> > >> > There is clear message what to do if you want to cut the qube from the >> > network. >> > >> > - -- >> > Best Regards, >> > Marek Marczykowski-Górecki >> > Invisible Things Lab >> > A: Because it messes up the order in which people normally read text. >> > Q: Why is top-posting such a bad thing? >> > -----BEGIN PGP SIGNATURE----- >> > >> > iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxk5lQACgkQ24/THMrX >> > 1yzyBQf+ID5V7ema8i77kmTCnsWfNeSPUQnlTjuQbF1oNZJFNeAwAaqp3FLO+Ljt >> > Slj7e9KjbPYrxxuW40LIL05G78Yqs/MpZ1mA6/Yfy6J2tvoluucTFvatiHqiodO3 >> > HLqyRSehMXqqzKTHNrLrfLWWyz6ykbP/MmIw1zsxjcXj8RCNuEMc5F4qC6npluWN >> > cahMNcZLELo4PsrjzhqTrSr0BmlVLDQ5QLwoJGi8wSDGMEIDX3qvwq56wh6O0MgR >> > J780J043BcrIiAfZorrG+WfpLebkU9uSjmOENxcZQQwz2JmEdod9dU1vUEPSdBY1 >> > EKOq9FhCjMI6De6nNgiMf63Y47CxuQ== >> > =9dvG >> > -----END PGP SIGNATURE----- >> >> As I said, I understand the documentation is correct. thats not my question. >> My question is why was it removed as an option when the firewall box itself >> in network manager says "Deny network access except..." >> >> My point is it is counter intuitive. If it says "deny network access >> exccept..." then there is an expectation that it will deny network access >> except for what is specified. There used to be tick buttons (allow >> updates/allow ICMP/allow DNS), which made it clear on the granular control >> there - but were removed in R4. The underlying subsytems you can still do >> that, sure. >> >> Can I suggest that the wording "deny network access except..." is changed to >> "Deny TCP and UDP access except ..." for the avoidance of any doubt. >> > > > https://github.com/QubesOS/qubes-manager/pull/153 > <https://github.com/QubesOS/qubes-manager/pull/153> > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to > qubes-users+unsubscr...@googlegroups.com > <mailto:qubes-users+unsubscr...@googlegroups.com>> . > To post to this group, send email to > qubes-users@googlegroups.com > <mailto:qubes-users@googlegroups.com>> . > To view this discussion on the web visit > > https://groups.google.com/d/msgid/qubes-users/39615092-155b-4f93-a418-95f7ff95c...@googlegroups.com > > <https://groups.google.com/d/msgid/qubes-users/39615092-155b-4f93-a418-95f7ff95c71f%40googlegroups.com>> > . > For more options, visit > https://groups.google.com/d/optout > <https://groups.google.com/d/optout>> . > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/LYgKWnl--3-1%40tutanota.com. For more options, visit https://groups.google.com/d/optout.
