On Mon, May 10, 2021, 2:57 PM 'awokd' via qubes-users <
qubes-users@googlegroups.com> wrote:
> lik...@gmx.de:
> > Hi!
> >
> > Due to the current implementation/design of qubes firewall, it's hard to
> use domain names for firewall rules, because of "static" DNS resolution:
> > https://github.com/QubesOS/qubes-issues/issues/5225
> >
> > To find out the "connection wishes/tries" of an executable, what's the
> recommendation to use them for firewall rules?
> > 1. Let's assume all network access except DNS is restricted from
> a AppVM. How can I find out which domains/IPs which executable is trying to
> use/connect to?
> > 2. What are you're best practices to find out all IPs for a domain
> to white list them?
> >
> > Best, P
> >
> 1. netstat -pan, and/or tcpdump from somewhere networking isn't blocked.
> Might have to watch DNS requests to see what it's attempting to resolve.
> Don't know of a way to do it with networking disabled.
>
At one point in the past I was running Boinc and Thunderbird in network
restricted AppVMs. The sys-firewall was set to the default deny mode so
that I could prevent connections to anywhere except the specific servers I
gave it permissions to. I had a python script that ran tcpdump in a pipe
and read the output and then auto-generated the qubes firewall commands
needed to open the firewall, but I manually chose which addtesses to
actually allow.
When the firewall blocks a packet it sends a specific ICMP packet back to
the AppVM containing the address/port that was blocked. I simply filtered
for and read those packets from tcpdump and printed the appropriate 'add'
command to stout in a terminal so I could then copy/paste that command to
another terminal window to add the address/port once I investigated why the
requesting program might have needed that connection. It would be trivial
to add a gui with a click-to-add button.
This could likely be done on the internal interface in sys-firewall
(untested) or in the AppVM (where you could also check which process was
using that port number, e.g. netstat -pan) depending on the trust level in
your AppVM. One could put this in a batch learning mode to collect all
these commands during a test run and then add them to the sys-firewall
permanently once verified.
As for performance, you only need to monitor it periodically if the app
stops working, like when they shift to some other round-robbin server. You
could easilly run it as a cron job at night to see what connections had
been tried while you were not there. There is however limitations on the
number of rules you can add so you might need to change individual
addresses into network blocks once you start having those resource limiting
issues. Thunderbird for instance tried to check for plug-ins at lots of
different addresses.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/CAJ5FDng%3DzSm9fDsLVbB5WjVGE7aDDJjsO8kihOzjWfFwgjQ68A%40mail.gmail.com.
