On 3/9/19 2:58 AM, unman wrote:
On Fri, Mar 08, 2019 at 08:07:46PM +0100, Zrubi wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256On 3/8/19 3:28 PM, [email protected] wrote:I'm trying to setup an appvm like this: appvm -> appvm_firewall -> vpn -> vpn_firewall -> sys-net I want to tighten the firewall rules and do a deny policy. How can I get a log of dropped firewall packet logs from appvm_firewall or vpn_firewall? I've tried a few different iptables commands but I haven't really had any success.
From my point of view the "Qubes way" of doing this would be something like appvm -> logging VM -> appvm_firewall -> vpn -> vpn_firewall -> sys-netYou can accomplish this in a rather straightforward way by using a proxy VM with your preferred logging mechanism (sflow, iptables, tcpdump, some IDS, ...). Alo see [1], "Network service qubes".
For iptables you'd require at least one rule in that proxy VM which enables logging. It should be stored inside /rw/config/rc.local [1].
If you're looking for drops only, this is somewhat more complicated because with the above, you'd just log everything. You can however do filtering or log only ICMP replies (Qubes will send an ICMP reply on rejected packages) and/or TCP handshakes that weren't completed.
Of course you can also go with the other proposal by unman and modify the Qubes firewall inside appvm_firewall. This however has the various drawbacks mentioned inside [1], "Network service qubes". Mistakes there can be costly even if the modification is rather easy for advanced users.
[1] https://www.qubes-os.org/doc/firewall/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/65515e35-36ee-b333-54f7-6b36e3a8b6bd%40hackingthe.net. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
