/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Note in firewall settings that denying everything will not affect established connections #2731

Closed
starius opened this Issue Mar 27, 2017 · 8 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 4.0
6 participants
@starius @unman @andrewdavidwong @marmarek @cfcs @qubesos-bot
@starius

starius commented Mar 27, 2017

Qubes OS version (e.g., R3.2):

R3.2

Expected behavior:

When I choose "deny network access except..." without specifying the list of allowed targets, all current connections are dropped.

Actual behavior:

When I choose "deny network access except..." without specifying the list of allowed targets, a current connection continues working.

Steps to reproduce the behavior:

I created ProxyVM based on fedora-23 template and put an AppVM behind it. The ProxyVM had the default firewall rules (allow everything). I established SSH connection from the AppVM and then switched firewall in the ProxyVM to "deny network access except...". The SSH connection was still active, but I can't establish new SSH connections at that point.

Notes:

Current wording in the firewall configuration window is misleading. Either QubesOS should drop all current connections as well or put a big warning message saying that you have to restart all downstream VMs if you really want to block all network access.
@unman

This comment has been minimized.

Show comment
Hide comment
@unman

unman Mar 28, 2017

Member

Your expectations dont match mine.
This is pretty standard behaviour in stateful firewalls. Very few firewalls flush conntrack, so that existing connections are retained after rule changes.
Member

unman commented Mar 28, 2017

Your expectations dont match mine.
This is pretty standard behaviour in stateful firewalls. Very few firewalls flush conntrack, so that existing connections are retained after rule changes.

@andrewdavidwong andrewdavidwong added C: core C: qubes-manager labels Mar 28, 2017

@andrewdavidwong andrewdavidwong added this to the Release 3.2 updates milestone Mar 28, 2017

@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Mar 28, 2017

Member

If @marmarek agrees with @unman's assessment, we'll close this as notanissue.

Notes:

  • The wording in the firewall config window is misleading only if the expectation is accurate.
  • This might be a candidate for an explanatory tooltip (#2211).
  • Setting the NetVM to none does seem to have the desired effect.
Member

andrewdavidwong commented Mar 28, 2017

If @marmarek agrees with @unman's assessment, we'll close this as notanissue.

Notes:

  • The wording in the firewall config window is misleading only if the expectation is accurate.
  • This might be a candidate for an explanatory tooltip (#2211).
  • Setting the NetVM to none does seem to have the desired effect.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 28, 2017

Member

This is pretty standard behaviour in stateful firewalls.

This is true, but IMO it should be noted somewhere in the firewall settings. Not everyone configure firewalls daily.

A side note: it is possible to write firewall rules to avoid this effect, at a cost of additional overhead for rules processing (so - every packet passing through firewall). Basically put --ctstate ESTABLISHED -j ACCEPT rule at the end, instead of the beginning. It does not require flushing conntrack on firewall reload (which would interrupt all established connections).
Member

marmarek commented Mar 28, 2017

This is pretty standard behaviour in stateful firewalls.

This is true, but IMO it should be noted somewhere in the firewall settings. Not everyone configure firewalls daily.

A side note: it is possible to write firewall rules to avoid this effect, at a cost of additional overhead for rules processing (so - every packet passing through firewall). Basically put --ctstate ESTABLISHED -j ACCEPT rule at the end, instead of the beginning. It does not require flushing conntrack on firewall reload (which would interrupt all established connections).

@andrewdavidwong andrewdavidwong added enhancement UX and removed C: core labels Mar 28, 2017

@andrewdavidwong andrewdavidwong modified the milestones: Release 4.0, Release 3.2 updates Mar 28, 2017

@andrewdavidwong andrewdavidwong changed the title from Denying everything in firewall rules does not affect established connections to Note in firewall settings that denying everything will not affect established connections Apr 10, 2017

marmarta added a commit to marmarta/qubes-manager that referenced this issue Nov 17, 2017

@marmarta
Added tooltip to better explain firewall settings 
Added a tooltip clarifying that changing firewall settings does not
affect existing connections.

fixes QubesOS/qubes-issues#2731
Verified
This commit was signed with a verified signature.
@marmarta marmarta Marta Marczykowska-Górecka
GPG key ID: 9A752C30B26FD04B Learn about signing commits
4d4af65

@marmarta marmarta referenced this issue in QubesOS/qubes-manager Nov 17, 2017

Merged

Added tooltip to better explain firewall settings #49

@marmarek marmarek closed this in marmarek/qubes-manager@d766011 Nov 20, 2017

@cfcs

This comment has been minimized.

Show comment
Hide comment
@cfcs

cfcs Nov 20, 2017

I agree with @starius that the "expected behaviour" should also the desired behaviour.
Otherwise people will get frustrated trying to block something while it appears to have no effect.

When would you want to add a rule you don't want to take effect immediately? Why not just add it later?

IMHO the fact that existing firewall systems have retarded configuration interfaces should not get in the way of making the Qubes UI reliable and consistent.

cfcs commented Nov 20, 2017

I agree with @starius that the "expected behaviour" should also the desired behaviour.
Otherwise people will get frustrated trying to block something while it appears to have no effect.

When would you want to add a rule you don't want to take effect immediately? Why not just add it later?

IMHO the fact that existing firewall systems have retarded configuration interfaces should not get in the way of making the Qubes UI reliable and consistent.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Nov 20, 2017

Member

Updated UI have (in addition) hint that if you want to isolate VM from the network completely, better set netvm to none.
Member

marmarek commented Nov 20, 2017
edited
Edited 1 time
  • @marmarek marmarek edited Nov 20, 2017 (most recent)

Updated UI have (in addition) hint that if you want to isolate VM from the network completely, better set netvm to none.
@cfcs

This comment has been minimized.

Show comment
Hide comment
@cfcs

cfcs Nov 20, 2017

@marmarek yes, but I believe that if you want to restrict it to x, y, and z only and there's still connections to a and b after you've set this rule, that is counter-intuitive.

cfcs commented Nov 20, 2017

@marmarek yes, but I believe that if you want to restrict it to x, y, and z only and there's still connections to a and b after you've set this rule, that is counter-intuitive.
@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Nov 21, 2017

Automated announcement from builder-github

The package qubes-manager-4.0.9-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

qubesos-bot commented Nov 21, 2017

Automated announcement from builder-github

The package qubes-manager-4.0.9-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-dom0-cur-test label Nov 21, 2017

@qubesos-bot qubesos-bot referenced this issue in QubesOS/updates-status Nov 21, 2017

Closed

manager v4.0.9 (r4.0) #307

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Dec 11, 2017

Automated announcement from builder-github

The package qubes-manager-4.0.9-1.fc25 has been pushed to the r4.0 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

qubesos-bot commented Dec 11, 2017

Automated announcement from builder-github

The package qubes-manager-4.0.9-1.fc25 has been pushed to the r4.0 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

@qubesos-bot qubesos-bot added r4.0-dom0-stable and removed r4.0-dom0-cur-test labels Dec 11, 2017

@marmarek marmarek referenced this issue Jul 26, 2018

Open

Changing firewall rules does not block already-established connections #4141

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment