New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Firewall editor improvements #113

Closed
marmarek opened this Issue Mar 8, 2015 · 10 comments

Comments

Projects
None yet
1 participant
@marmarek
Member

marmarek commented Mar 8, 2015

Reported by joanna on 15 Mar 2011 23:43 UTC

  • Allow to set "anywhere" in the host field (e.g. to allow/deny all HTTPS traffic to any host) -- perhaps this could be done by a checkbox next to the host field ("any host")?
  • Allow to specify netmask in the host/ip field (e.g. /24) if host is specified as IP rather than as a hostname.
  • Add a checkbox for allowing/denying ICMP traffic (next to the checkbox for DNS traffic on the bottom).

Migrated-From: https://wiki.qubes-os.org/ticket/113

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by joanna on 15 Mar 2011 23:44 UTC
Plus some more polish of the FW editor -- e.g. when I click on the edit button but no rule is selected I get an exception!

Member

marmarek commented Mar 8, 2015

Comment by joanna on 15 Mar 2011 23:44 UTC
Plus some more polish of the FW editor -- e.g. when I click on the edit button but no rule is selected I get an exception!

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by smoku on 16 Mar 2011 13:50 UTC
Rules editor button should be disabled also if a selected domain is not using ProxyVM as netvm.

Member

marmarek commented Mar 8, 2015

Comment by smoku on 16 Mar 2011 13:50 UTC
Rules editor button should be disabled also if a selected domain is not using ProxyVM as netvm.

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by joanna on 17 Mar 2011 21:43 UTC
Plus, all the functionality discussed in this thread:

https://groups.google.com/group/qubes-devel/browse_thread/thread/e82a35c42af1d56c#

Member

marmarek commented Mar 8, 2015

Comment by joanna on 17 Mar 2011 21:43 UTC
Plus, all the functionality discussed in this thread:

https://groups.google.com/group/qubes-devel/browse_thread/thread/e82a35c42af1d56c#

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by smoku on 21 Mar 2011 21:04 UTC
I implemented the "anywhere" hostname by implementing "" as allowed hostname.
'anywhere' is a valid hostname and should not be special. Also in my opinion "
" is more intuitive.

I replaced the address field with combobox, that has some suggestions for allowable addresses (similarly like the service port combobox).

I also implemented wildcard "*" port that matches the whole host.
And also port ranges in format like: 22-123, which is also hinted in the service combo dropdown.

Backend already supported port ranges, so this all is implemented in UI (firewall.py) only, and there are no magic strings in the firewall.xml and core classes implementation.

Member

marmarek commented Mar 8, 2015

Comment by smoku on 21 Mar 2011 21:04 UTC
I implemented the "anywhere" hostname by implementing "" as allowed hostname.
'anywhere' is a valid hostname and should not be special. Also in my opinion "
" is more intuitive.

I replaced the address field with combobox, that has some suggestions for allowable addresses (similarly like the service port combobox).

I also implemented wildcard "*" port that matches the whole host.
And also port ranges in format like: 22-123, which is also hinted in the service combo dropdown.

Backend already supported port ranges, so this all is implemented in UI (firewall.py) only, and there are no magic strings in the firewall.xml and core classes implementation.

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by smoku on 21 Mar 2011 21:06 UTC
"Allow ICMP traffic" checkbox requires changes in core backend, though.

Member

marmarek commented Mar 8, 2015

Comment by smoku on 21 Mar 2011 21:06 UTC
"Allow ICMP traffic" checkbox requires changes in core backend, though.

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by smoku on 21 Mar 2011 21:14 UTC
Replying to smoku:

Rules editor button should be disabled also if a selected domain is not using ProxyVM as netvm.

Joanna, do we want to do this?
The FW rules are assigned to a VM no matter whether it is connected to a FwVM or not.
We may want to edit the firewall rules on a disconnected VM and then connect it to FwVM.

Member

marmarek commented Mar 8, 2015

Comment by smoku on 21 Mar 2011 21:14 UTC
Replying to smoku:

Rules editor button should be disabled also if a selected domain is not using ProxyVM as netvm.

Joanna, do we want to do this?
The FW rules are assigned to a VM no matter whether it is connected to a FwVM or not.
We may want to edit the firewall rules on a disconnected VM and then connect it to FwVM.

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by joanna on 21 Mar 2011 21:22 UTC

  • I think we still want an option to allow/deny ICMP to/from a VM.
  • Ok, we might allow setting the FW rules for a VM no matter if it is currently connected or not to a proxyvm, but we should also display some warning that the rules will not be enforced until it gets connected to a proxyvm. This warning should be displayed in the editor dialog box every time the user opens this window for a VM that is not connected to a proxyvm.
Member

marmarek commented Mar 8, 2015

Comment by joanna on 21 Mar 2011 21:22 UTC

  • I think we still want an option to allow/deny ICMP to/from a VM.
  • Ok, we might allow setting the FW rules for a VM no matter if it is currently connected or not to a proxyvm, but we should also display some warning that the rules will not be enforced until it gets connected to a proxyvm. This warning should be displayed in the editor dialog box every time the user opens this window for a VM that is not connected to a proxyvm.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by smoku on 21 Mar 2011 21:26 UTC

  • Yes. It's implemented. I just noted, that this requires core update. :)
  • OK. I will add a warning then.
Member

marmarek commented Mar 8, 2015

Comment by smoku on 21 Mar 2011 21:26 UTC

  • Yes. It's implemented. I just noted, that this requires core update. :)
  • OK. I will add a warning then.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by smoku on 21 Mar 2011 21:37 UTC
Replying to joanna:

  • Ok, we might allow setting the FW rules for a VM no matter if it is currently connected or not to a proxyvm, but we should also display some warning that the rules will not be enforced until it gets connected to a proxyvm. This warning should be displayed in the editor dialog box every time the user opens this window for a VM that is not connected to a proxyvm.

Implemented in http://git.qubes-os.org/?p=smoku/qubes-manager;a=commit;h=e4e7d4eb997335949df8be9f31c68b325bc7ce45

Member

marmarek commented Mar 8, 2015

Comment by smoku on 21 Mar 2011 21:37 UTC
Replying to joanna:

  • Ok, we might allow setting the FW rules for a VM no matter if it is currently connected or not to a proxyvm, but we should also display some warning that the rules will not be enforced until it gets connected to a proxyvm. This warning should be displayed in the editor dialog box every time the user opens this window for a VM that is not connected to a proxyvm.

Implemented in http://git.qubes-os.org/?p=smoku/qubes-manager;a=commit;h=e4e7d4eb997335949df8be9f31c68b325bc7ce45

@marmarek marmarek closed this Mar 8, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment