On Sat, Mar 09, 2019 at 01:23:03PM +0100, David Hobach wrote: > On 3/9/19 2:58 AM, unman wrote: > > On Fri, Mar 08, 2019 at 08:07:46PM +0100, Zrubi wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA256 > > > > > > On 3/8/19 3:28 PM, [email protected] wrote: > > > > I'm trying to setup an appvm like this: > > > > > > > > appvm -> appvm_firewall -> vpn -> vpn_firewall -> sys-net > > > > > > > > I want to tighten the firewall rules and do a deny policy. How can > > > > I get a log of dropped firewall packet logs from appvm_firewall or > > > > vpn_firewall? I've tried a few different iptables commands but I > > > > haven't really had any success. > > From my point of view the "Qubes way" of doing this would be something like > appvm -> logging VM -> appvm_firewall -> vpn -> vpn_firewall -> sys-net > > You can accomplish this in a rather straightforward way by using a proxy VM > with your preferred logging mechanism (sflow, iptables, tcpdump, some IDS, > ...). Alo see [1], "Network service qubes". > > For iptables you'd require at least one rule in that proxy VM which enables > logging. It should be stored inside /rw/config/rc.local [1]. > > If you're looking for drops only, this is somewhat more complicated because > with the above, you'd just log everything. > You can however do filtering or log only ICMP replies (Qubes will send an > ICMP reply on rejected packages) and/or TCP handshakes that weren't > completed. > > Of course you can also go with the other proposal by unman and modify the > Qubes firewall inside appvm_firewall. This however has the various drawbacks > mentioned inside [1], "Network service qubes". Mistakes there can be costly > even if the modification is rather easy for advanced users. > > [1] https://www.qubes-os.org/doc/firewall/ >
I don't think this would be "a rather straightforward way". The reason is, of course, that using a proxyVM, would mean that packets would be masqueraded when they reach appvm_firewall, so that appropriate rules would not be set. Also, of course, the native Qubes firewall structure would not apply. I'm not saying that such a set-up could not be effected, but it would not be straightforward and would require manual setting of forwarding *and* firewall rules. On balance, I continue to think that it would be easier to place logging rules in the appvm_firewall and vpn_firewall. If op comes back and provides details of what rules they have, and what they want to test, we could make some progress. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190310012750.gzh2z75q6nv6cjdh%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
