On Saturday, July 6, 2019 at 6:09:52 AM UTC+1, pr...@tutanota.de wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi,
>
> With the old format of rules for the mirage firewall I had the following
> setup:
>
> ...
> let git_addr = Ipaddr.V4.of_string_exn "192.168.1.101"
>
> let allowed_to_git = List.map Ipaddr.V4.of_string_exn
> [ "10.137.0.20" ;
> "10.137.0.21"
> ]
>
> let local_subnet = Ipaddr.Prefix.of_string_exn "192.168.0.0/16"
>
> let mgmt_local = Ipaddr.V4.of_string_exn "10.137.0.22"
>
> let from_client = function
> | { src = `Client c; dst = `External e } when Ipaddr.Prefix.mem e
> local_subnet
> && c#other_ip = mgmt_local -> `NAT
> | { src = `Client c; dst = `External e } when e = Ipaddr.V4 git_addr
> && List.mem c#other_ip allowed_to_git -> `NAT
> ...
>
> Is it possible to get the same functionality with the new rules using the
> prefix
> and the lists of addresses? It would also be useful to be able to block
> prefixes
> as well if that's possible.
There are two ways to get that working. The quick way is to get the src/dst IP
addresses from the `packet` field instead, e.g.
let externals = [
"192.168.1.101", `Git;
]
...
| { src = `Client _;
dst = `External `Git;
packet = `IPv4 ({Ipv4_packet.src}, _)}
when List.mem src allowed_to_git -> `NAT
Another solution would be to edit firewall.ml to allow specifying subnets, not
just hosts. That's a bit more work, though.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/8c2ffafe-4893-44ec-bb6a-38501449dbbe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
