qubes-network-server

gaschz/qubes-network-server

Fork 0

mirror of https://github.com/Rudd-O/qubes-network-server.git synced 2025-06-06 18:08:33 +02:00

Commit Graph

Author	SHA1	Message	Date
Jean-Philippe Ouellet	f07f98474f	Properly handle from-0.0.0.0/0 for whole internet For rules like this: [user@dom0 ~]$ qvm-static-ip -g net-testing static_ip 192.168.1.123 [user@dom0 ~]$ qvm-firewall -l net-testing Firewall policy: DENY all traffic except ICMP: ALLOW DNS: ALLOW Qubes yum proxy: DENY -----+---------------------+-------+---------+ num \| address \| proto \| port(s) \| -----+---------------------+-------+---------+ 1 \| from-0.0.0.0/0 \| tcp \| http \| 2 \| from-0.0.0.0/0 \| tcp \| https \| 3 \| 192.30.252.0/22 \| tcp \| https \| 4 \| from-192.168.1.0/24 \| tcp \| ssh \| The following rules are observed before & after this patch (only differing rules shown): sys-firewall qubesdb-read /qubes-iptables-domainrules/${domid} before: -A PR-QBS-FORWARD -s 0.0.0.0 -d 192.168.1.123/0 -p tcp --dport 80 -j ACCEPT -A PR-QBS-FORWARD -s 0.0.0.0 -d 192.168.1.123/0 -p tcp --dport 443 -j ACCEPT -A PR-QBS-FORWARD -s 192.168.1.0 -d 192.168.1.123/24 -p tcp --dport 22 -j ACCEPT after: -A PR-QBS-FORWARD -d 192.168.1.123 -p tcp --dport 80 -j ACCEPT -A PR-QBS-FORWARD -d 192.168.1.123 -p tcp --dport 443 -j ACCEPT -A PR-QBS-FORWARD -s 192.168.1.0/24 -d 192.168.1.123 -p tcp --dport 22 -j ACCEPT sys-firewall iptables-save before: -A PR-QBS-FORWARD -s 0.0.0.0/32 -p tcp -m tcp --dport 80 -j ACCEPT -A PR-QBS-FORWARD -s 0.0.0.0/32 -p tcp -m tcp --dport 443 -j ACCEPT -A PR-QBS-FORWARD -s 192.168.1.0/32 -d 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT after: -A PR-QBS-FORWARD -d 192.168.1.123/32 -p tcp -m tcp --dport 80 -j ACCEPT -A PR-QBS-FORWARD -d 192.168.1.123/32 -p tcp -m tcp --dport 443 -j ACCEPT -A PR-QBS-FORWARD -s 192.168.1.0/24 -d 192.168.1.123/32 -p tcp -m tcp --dport 22 -j ACCEPT net-testing iptables-save before: -A FORTRESS-INPUT -s 0.0.0.0/32 -p tcp -m tcp --dport 80 -j ACCEPT -A FORTRESS-INPUT -s 0.0.0.0/32 -p tcp -m tcp --dport 443 -j ACCEPT -A FORTRESS-INPUT -s 192.168.1.0/32 -d 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT after: -A FORTRESS-INPUT -d 192.168.1.123/32 -p tcp -m tcp --dport 80 -j ACCEPT -A FORTRESS-INPUT -d 192.168.1.123/32 -p tcp -m tcp --dport 443 -j ACCEPT -A FORTRESS-INPUT -s 192.168.1.0/24 -d 192.168.1.123/32 -p tcp -m tcp --dport 22 -j ACCEPT sys-net: No changes. Note that this also fixes an issue where the netmask in from- rules was being applied to -d instead of -s.	2017-03-15 05:48:46 -04:00
Jean-Philippe Ouellet	e473e5e10c	Restructure as proper component for qubes-builder Also bumps version to 0.0.7. No intentional functional change.	2017-03-14 05:57:32 -04:00

Author

SHA1

Message

Date

Jean-Philippe Ouellet

f07f98474f

Properly handle from-0.0.0.0/0 for whole internet

For rules like this:
    [user@dom0 ~]$ qvm-static-ip -g net-testing static_ip
    192.168.1.123
    [user@dom0 ~]$ qvm-firewall -l net-testing
    Firewall policy: DENY all traffic except
    ICMP: ALLOW
    DNS: ALLOW
    Qubes yum proxy: DENY
    -----+---------------------+-------+---------+
     num |       address       | proto | port(s) |
    -----+---------------------+-------+---------+
      1  | from-0.0.0.0/0      | tcp   | http    |
      2  | from-0.0.0.0/0      | tcp   | https   |
      3  | 192.30.252.0/22     | tcp   | https   |
      4  | from-192.168.1.0/24 | tcp   | ssh     |

The following rules are observed before & after this patch (only
differing rules shown):

sys-firewall qubesdb-read /qubes-iptables-domainrules/${domid} before:
    -A PR-QBS-FORWARD -s 0.0.0.0 -d 192.168.1.123/0 -p tcp --dport 80 -j ACCEPT
    -A PR-QBS-FORWARD -s 0.0.0.0 -d 192.168.1.123/0 -p tcp --dport 443 -j ACCEPT
    -A PR-QBS-FORWARD -s 192.168.1.0 -d 192.168.1.123/24 -p tcp --dport 22 -j ACCEPT
after:
    -A PR-QBS-FORWARD -d 192.168.1.123 -p tcp --dport 80 -j ACCEPT
    -A PR-QBS-FORWARD -d 192.168.1.123 -p tcp --dport 443 -j ACCEPT
    -A PR-QBS-FORWARD -s 192.168.1.0/24 -d 192.168.1.123 -p tcp --dport 22 -j ACCEPT

sys-firewall iptables-save before:
    -A PR-QBS-FORWARD -s 0.0.0.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
    -A PR-QBS-FORWARD -s 0.0.0.0/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A PR-QBS-FORWARD -s 192.168.1.0/32 -d 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
after:
    -A PR-QBS-FORWARD -d 192.168.1.123/32 -p tcp -m tcp --dport 80 -j ACCEPT
    -A PR-QBS-FORWARD -d 192.168.1.123/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A PR-QBS-FORWARD -s 192.168.1.0/24 -d 192.168.1.123/32 -p tcp -m tcp --dport 22 -j ACCEPT

net-testing iptables-save before:
    -A FORTRESS-INPUT -s 0.0.0.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
    -A FORTRESS-INPUT -s 0.0.0.0/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A FORTRESS-INPUT -s 192.168.1.0/32 -d 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
after:
    -A FORTRESS-INPUT -d 192.168.1.123/32 -p tcp -m tcp --dport 80 -j ACCEPT
    -A FORTRESS-INPUT -d 192.168.1.123/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A FORTRESS-INPUT -s 192.168.1.0/24 -d 192.168.1.123/32 -p tcp -m tcp --dport 22 -j ACCEPT

sys-net: No changes.

Note that this also fixes an issue where the netmask in from- rules was
being applied to -d instead of -s.

2017-03-15 05:48:46 -04:00

Jean-Philippe Ouellet

e473e5e10c

Restructure as proper component for qubes-builder

Also bumps version to 0.0.7.

No intentional functional change.

2017-03-14 05:57:32 -04:00

2 Commits