gaschz/qubes-network-server
1
0
Fork 0
mirror of https://github.com/Rudd-O/qubes-network-server.git synced 2025-06-06 18:08:33 +02:00
Code Issues Packages Projects Releases Wiki Activity
22 Commits 4 Branches 23 Tags
Commit Graph

22 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jean-Philippe Ouellet
f07f98474f
Properly handle from-0.0.0.0/0 for whole internet 
For rules like this:
    [user@dom0 ~]$ qvm-static-ip -g net-testing static_ip
    192.168.1.123
    [user@dom0 ~]$ qvm-firewall -l net-testing
    Firewall policy: DENY all traffic except
    ICMP: ALLOW
    DNS: ALLOW
    Qubes yum proxy: DENY
    -----+---------------------+-------+---------+
     num |       address       | proto | port(s) |
    -----+---------------------+-------+---------+
      1  | from-0.0.0.0/0      | tcp   | http    |
      2  | from-0.0.0.0/0      | tcp   | https   |
      3  | 192.30.252.0/22     | tcp   | https   |
      4  | from-192.168.1.0/24 | tcp   | ssh     |

The following rules are observed before & after this patch (only
differing rules shown):

sys-firewall qubesdb-read /qubes-iptables-domainrules/${domid} before:
    -A PR-QBS-FORWARD -s 0.0.0.0 -d 192.168.1.123/0 -p tcp --dport 80 -j ACCEPT
    -A PR-QBS-FORWARD -s 0.0.0.0 -d 192.168.1.123/0 -p tcp --dport 443 -j ACCEPT
    -A PR-QBS-FORWARD -s 192.168.1.0 -d 192.168.1.123/24 -p tcp --dport 22 -j ACCEPT
after:
    -A PR-QBS-FORWARD -d 192.168.1.123 -p tcp --dport 80 -j ACCEPT
    -A PR-QBS-FORWARD -d 192.168.1.123 -p tcp --dport 443 -j ACCEPT
    -A PR-QBS-FORWARD -s 192.168.1.0/24 -d 192.168.1.123 -p tcp --dport 22 -j ACCEPT

sys-firewall iptables-save before:
    -A PR-QBS-FORWARD -s 0.0.0.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
    -A PR-QBS-FORWARD -s 0.0.0.0/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A PR-QBS-FORWARD -s 192.168.1.0/32 -d 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
after:
    -A PR-QBS-FORWARD -d 192.168.1.123/32 -p tcp -m tcp --dport 80 -j ACCEPT
    -A PR-QBS-FORWARD -d 192.168.1.123/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A PR-QBS-FORWARD -s 192.168.1.0/24 -d 192.168.1.123/32 -p tcp -m tcp --dport 22 -j ACCEPT

net-testing iptables-save before:
    -A FORTRESS-INPUT -s 0.0.0.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
    -A FORTRESS-INPUT -s 0.0.0.0/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A FORTRESS-INPUT -s 192.168.1.0/32 -d 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
after:
    -A FORTRESS-INPUT -d 192.168.1.123/32 -p tcp -m tcp --dport 80 -j ACCEPT
    -A FORTRESS-INPUT -d 192.168.1.123/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A FORTRESS-INPUT -s 192.168.1.0/24 -d 192.168.1.123/32 -p tcp -m tcp --dport 22 -j ACCEPT

sys-net: No changes.

Note that this also fixes an issue where the netmask in from- rules was
being applied to -d instead of -s.
 2017-03-15 05:48:46 -04:00
Jean-Philippe Ouellet
e473e5e10c
Restructure as proper component for qubes-builder 
Also bumps version to 0.0.7.

No intentional functional change.
 2017-03-14 05:57:32 -04:00
Manuel Amador (Rudd-O)
3847a37456 Install instructions made even more detailed. v0.0.6 2016-11-06 00:24:29 +00:00
Manuel Amador (Rudd-O)
6e6a02fdf2 Note that users of rpmbuild should install rpm-build. Bump version. 2016-11-06 00:19:33 +00:00
Manuel Amador (Rudd-O)
5bdbdab221 Update the documentation. 2016-11-06 00:11:14 +00:00
Manuel Amador (Rudd-O)
ce7f2722fc Requires and BuildRequires corrected. Bump version. v0.0.5 2016-11-06 00:03:20 +00:00
Manuel Amador (Rudd-O)
0ab541f837 theory of operation added 2016-10-13 13:40:55 +00:00
Manuel Amador (Rudd-O)
83afb8c2ef Bump version v0.0.4 2016-10-12 20:21:30 +00:00
Manuel Amador (Rudd-O)
76835f8f6b Add build number specification for spec file. 2016-10-12 20:21:11 +00:00
Manuel Amador (Rudd-O)
644763bbba Improvements to docs. 2016-10-12 17:21:24 +00:00
Manuel Amador (Rudd-O)
d88a8f9d12 Add more TODO notes. 2016-10-12 17:09:10 +00:00
Manuel Amador (Rudd-O)
6a442e9cb8 Documentation improvements. 2016-10-12 17:03:13 +00:00
Manuel Amador (Rudd-O)
a334edaf64 More to-do items. 2016-10-12 15:36:30 +00:00
Manuel Amador (Rudd-O)
e123b90b7e Bump version v0.0.3 2016-10-11 22:42:32 +00:00
Manuel Amador (Rudd-O)
8f66a0c5c1 Do not run spurious commands that are empty. 2016-10-11 22:42:20 +00:00
Manuel Amador (Rudd-O)
7cdbfb43b6 add more to the readme 2016-10-11 20:25:32 +00:00
Manuel Amador (Rudd-O)
8804ef4796 Doc updates 2016-10-11 19:31:01 +00:00
Manuel Amador (Rudd-O)
543e4c92ea Bump version v0.0.2 2016-10-11 19:28:16 +00:00
Manuel Amador (Rudd-O)
0b7e9cddaf Noarch. 2016-10-11 19:27:54 +00:00
Manuel Amador (Rudd-O)
6244ae6ea5 To-do list added 2016-10-11 19:27:48 +00:00
Manuel Amador (Rudd-O)
fbddb85b97 More documentation. v0.0.1 2016-10-11 19:20:10 +00:00
Manuel Amador (Rudd-O)
7ad6b81670 Initial commit. 2016-10-11 19:06:09 +00:00