-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
>> Hi,
>> With the old format of rules for the mirage firewall I had the following
>> setup:
>> ...
>> let git_addr = Ipaddr.V4.of_string_exn "192.168.1.101"
>>
>> let allowed_to_git = List.map Ipaddr.V4.of_string_exn
>> [ "10.137.0.20" ;
>> "10.137.0.21"
>> ]
>>
>>
>> let local_subnet = Ipaddr.Prefix.of_string_exn "192.168.0.0/16"
>>
>> let mgmt_local = Ipaddr.V4.of_string_exn "10.137.0.22"
>>
>> let from_client = function
>> | { src = `Client c; dst = `External e } when Ipaddr.Prefix.mem e
>> local_subnet
>> && c#other_ip = mgmt_local -> `NAT
>> | { src = `Client c; dst = `External e } when e = Ipaddr.V4 git_addr
>> && List.mem c#other_ip allowed_to_git -> `NAT
>> ...
>>
>> Is it possible to get the same functionality with the new rules using the
>> prefix
>> and the lists of addresses? It would also be useful to be able to block
>> prefixes
>> as well if that's possible.
> There are two ways to get that working. The quick way is to get the src/dst
> IP addresses from the `packet` field instead, e.g.
>
> let externals = [
> "192.168.1.101", `Git;
> ]
>
> ...
>
> | { src = `Client _;
> dst = `External `Git;
> packet = `IPv4 ({Ipv4_packet.src}, _)}
> when List.mem src allowed_to_git -> `NAT
>
> Another solution would be to edit firewall.ml to allow specifying subnets,
> not just hosts. That's a bit more work, though.
Many thanks for your help with this and for the project!
I went with the quick way for now.
I now have the following rules if anyone else finds them useful:
...
let clients = [
"10.137.0.22", `MgmtLocal;
]
let externals = [
"192.168.1.101", `Git;
]
let allowed_to_git = List.map Ipaddr.V4.of_string_exn
[ "10.137.0.20";
"10.137.0.21"
]
let local_subnet = Ipaddr.V4.Prefix.of_string_exn "192.168.0.0/16"
let from_client (...
match info with
| { src = `Client `MgmtLocal; dst = `External _; packet = `IPv4
({Ipv4_packet.dst}, _) }
when Ipaddr.V4.Prefix.mem dst local_subnet -> `NAT
| {src = `Client _; dst = `External `Git; packet = `IPv4
({Ipv4_packet.src}, _) }
when List.mem src allowed_to_git -> `NAT
...
This all compiled and seems to be working well.
Thanks again
-----BEGIN PGP SIGNATURE-----
iIgEARMKADAWIQRFNnsoPo7HH0XEMXc88cBGMbAIWAUCXSPR6RIccHJhZ29AdHV0
YW5vdGEuZGUACgkQPPHARjGwCFgMagD+I396tJHqYi94dCOT1hDanLHojr0NIJsz
nXqKCzr3CfgA/3N0UcEPddAyuW3TlXlui74CYr9MHQxTUCR3I1cl5yXx
=637A
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/LjIvTlK--3-1%40tutanota.de.
For more options, visit https://groups.google.com/d/optout.
