-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 >> Hi, >> With the old format of rules for the mirage firewall I had the following >> setup: >> ... >> let git_addr = Ipaddr.V4.of_string_exn "192.168.1.101" >> >> let allowed_to_git = List.map Ipaddr.V4.of_string_exn >> [ "10.137.0.20" ; >> "10.137.0.21" >> ] >> >> >> let local_subnet = Ipaddr.Prefix.of_string_exn "192.168.0.0/16" >> >> let mgmt_local = Ipaddr.V4.of_string_exn "10.137.0.22" >> >> let from_client = function >> | { src = `Client c; dst = `External e } when Ipaddr.Prefix.mem e >> local_subnet >> && c#other_ip = mgmt_local -> `NAT >> | { src = `Client c; dst = `External e } when e = Ipaddr.V4 git_addr >> && List.mem c#other_ip allowed_to_git -> `NAT >> ... >> >> Is it possible to get the same functionality with the new rules using the >> prefix >> and the lists of addresses? It would also be useful to be able to block >> prefixes >> as well if that's possible.
> There are two ways to get that working. The quick way is to get the src/dst > IP addresses from the `packet` field instead, e.g. > > let externals = [ > "192.168.1.101", `Git; > ] > > ... > > | { src = `Client _; > dst = `External `Git; > packet = `IPv4 ({Ipv4_packet.src}, _)} > when List.mem src allowed_to_git -> `NAT > > Another solution would be to edit firewall.ml to allow specifying subnets, > not just hosts. That's a bit more work, though. Many thanks for your help with this and for the project! I went with the quick way for now. I now have the following rules if anyone else finds them useful: ... let clients = [ "10.137.0.22", `MgmtLocal; ] let externals = [ "192.168.1.101", `Git; ] let allowed_to_git = List.map Ipaddr.V4.of_string_exn [ "10.137.0.20"; "10.137.0.21" ] let local_subnet = Ipaddr.V4.Prefix.of_string_exn "192.168.0.0/16" let from_client (... match info with | { src = `Client `MgmtLocal; dst = `External _; packet = `IPv4 ({Ipv4_packet.dst}, _) } when Ipaddr.V4.Prefix.mem dst local_subnet -> `NAT | {src = `Client _; dst = `External `Git; packet = `IPv4 ({Ipv4_packet.src}, _) } when List.mem src allowed_to_git -> `NAT ... This all compiled and seems to be working well. Thanks again -----BEGIN PGP SIGNATURE----- iIgEARMKADAWIQRFNnsoPo7HH0XEMXc88cBGMbAIWAUCXSPR6RIccHJhZ29AdHV0 YW5vdGEuZGUACgkQPPHARjGwCFgMagD+I396tJHqYi94dCOT1hDanLHojr0NIJsz nXqKCzr3CfgA/3N0UcEPddAyuW3TlXlui74CYr9MHQxTUCR3I1cl5yXx =637A -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/LjIvTlK--3-1%40tutanota.de. For more options, visit https://groups.google.com/d/optout.