gaschz/qubes-network-server
1
0
Fork 0
mirror of https://github.com/Rudd-O/qubes-network-server.git synced 2025-06-06 18:08:33 +02:00
Code Issues Packages Projects Releases Wiki Activity
qubes-network-server/version
Jean-Philippe Ouellet f07f98474f
Properly handle from-0.0.0.0/0 for whole internet 
For rules like this:
    [user@dom0 ~]$ qvm-static-ip -g net-testing static_ip
    192.168.1.123
    [user@dom0 ~]$ qvm-firewall -l net-testing
    Firewall policy: DENY all traffic except
    ICMP: ALLOW
    DNS: ALLOW
    Qubes yum proxy: DENY
    -----+---------------------+-------+---------+
     num |       address       | proto | port(s) |
    -----+---------------------+-------+---------+
      1  | from-0.0.0.0/0      | tcp   | http    |
      2  | from-0.0.0.0/0      | tcp   | https   |
      3  | 192.30.252.0/22     | tcp   | https   |
      4  | from-192.168.1.0/24 | tcp   | ssh     |

The following rules are observed before & after this patch (only
differing rules shown):

sys-firewall qubesdb-read /qubes-iptables-domainrules/${domid} before:
    -A PR-QBS-FORWARD -s 0.0.0.0 -d 192.168.1.123/0 -p tcp --dport 80 -j ACCEPT
    -A PR-QBS-FORWARD -s 0.0.0.0 -d 192.168.1.123/0 -p tcp --dport 443 -j ACCEPT
    -A PR-QBS-FORWARD -s 192.168.1.0 -d 192.168.1.123/24 -p tcp --dport 22 -j ACCEPT
after:
    -A PR-QBS-FORWARD -d 192.168.1.123 -p tcp --dport 80 -j ACCEPT
    -A PR-QBS-FORWARD -d 192.168.1.123 -p tcp --dport 443 -j ACCEPT
    -A PR-QBS-FORWARD -s 192.168.1.0/24 -d 192.168.1.123 -p tcp --dport 22 -j ACCEPT

sys-firewall iptables-save before:
    -A PR-QBS-FORWARD -s 0.0.0.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
    -A PR-QBS-FORWARD -s 0.0.0.0/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A PR-QBS-FORWARD -s 192.168.1.0/32 -d 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
after:
    -A PR-QBS-FORWARD -d 192.168.1.123/32 -p tcp -m tcp --dport 80 -j ACCEPT
    -A PR-QBS-FORWARD -d 192.168.1.123/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A PR-QBS-FORWARD -s 192.168.1.0/24 -d 192.168.1.123/32 -p tcp -m tcp --dport 22 -j ACCEPT

net-testing iptables-save before:
    -A FORTRESS-INPUT -s 0.0.0.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
    -A FORTRESS-INPUT -s 0.0.0.0/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A FORTRESS-INPUT -s 192.168.1.0/32 -d 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
after:
    -A FORTRESS-INPUT -d 192.168.1.123/32 -p tcp -m tcp --dport 80 -j ACCEPT
    -A FORTRESS-INPUT -d 192.168.1.123/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A FORTRESS-INPUT -s 192.168.1.0/24 -d 192.168.1.123/32 -p tcp -m tcp --dport 22 -j ACCEPT

sys-net: No changes.

Note that this also fixes an issue where the netmask in from- rules was
being applied to -d instead of -s.
2017-03-15 05:48:46 -04:00

2 lines
6 B
Plaintext
Raw Blame History

0.0.8
Reference in New Issue View Git Blame Copy Permalink